Description
A critical vulnerability has been identified in the XML parser component of the ThemeREX Addons plugin for WordPress. This vulnerability allows for arbitrary file uploads due to missing file type validation in the ‘trx_addons_uploads_save_data’ function in all versions up to, and including, 2.32.3. This critical flaw can facilitate unauthenticated attackers to upload arbitrary files on an affected site’s server, potentially leading to remote code execution.
Affected Product(s)
- ThemeREX Addons (Versions up to and including 2.32.3)
Technical Details
The ThemeREX Addons plugin is a popular utility among WordPress users for enhancing theme functionality. It provides a myriad of features that can be added to a WordPress website, including custom post types, shortcodes, and widgets. However, this vulnerability, tagged as CVE-2024-13448 and scored a critical 9.8 on the CVSS scale, stems from a flaw in the ‘trx_addons_uploads_save_data’ function, which fails to validate the file type of uploaded content.
The plugin versions up to and including 2.32.3 do not restrict the types of files that can be uploaded, meaning an attacker can upload malicious scripts that can be executed on the server, enabling remote code execution. The problem lies in the lack of proper sanitization and validation, allowing potentially harmful file types to be uploaded and executed. This specific weakness is categorized under CWE-434 (Unrestricted Upload of File with Dangerous Type).
When exploited, this vulnerability can allow a malicious user to upload web shells, ransomware, or other types of malware directly onto the WordPress server. Notably, such a file upload weakness does not require authentication, making it significantly easier for a wide spectrum of threat actors to exploit without needing prior access or privileged user credentials.
Exploit scripts targeting this vulnerability are capable of bypassing security measures by leveraging the use of crafted HTTP POST requests, which are then processed by the vulnerable plugin’s function. Once these malicious files are uploaded, they can grant the attacker full control over the web application, leading to various attack vectors such as data exfiltration, deployment of additional payloads, or further reconnaissance within the network.
Threat actors continually scan WordPress sites for such vulnerabilities, particularly those involving popular plugins like ThemeREX Addons, due to their widespread adoption.
Wordfence, a security service specializing in WordPress security, has highlighted this specific vulnerability and noted its potential for significant impact if left unaddressed. In short, this vulnerability is a result of the mishandling of file uploads in the ‘trx_addons_uploads_save_data’ function, allowing unsanitized and potentially dangerous files to be uploaded and executed on the server, leading to remote code execution and other severe consequences.
Weakness
This vulnerability is associated with the “Unrestricted Upload of File with Dangerous Type” weakness, identified as CWE-434. This type of weakness occurs when software does not restrict the types of files that users can upload, making it possible for attackers to upload malicious files. In the case of the ThemeREX Addons plugin, this oversight can lead to severe security breaches and unauthorized access to critical systems.
Impact Assessment
If exploited, this vulnerability could allow an attacker to gain unauthorized access to sensitive data or execute arbitrary code on the affected system. In scenarios where an attacker successfully uploads a malicious file, they can execute commands remotely, potentially gaining control over the website and its underlying hosting environment. The consequences of such an exploit can range from website defacement, data theft, and deployment of further malware, to complete website takeover and server compromise.
Active Exploitation
Reports indicate that there is active exploitation of this vulnerability in the wild. Monitoring systems have detected various attempts by cyber adversaries to upload malicious scripts via the vulnerable ‘trx_addons_uploads_save_data’ function. Attackers are employing automated tools to scan for and exploit this vulnerability across numerous WordPress installations, making it imperative for users of the ThemeREX Addons plugin to take immediate action to mitigate this risk.
Ransomware Association
The vulnerability has been linked to ransomware attacks, specifically through malicious file uploads that might serve as an initial access vector. Attackers exploiting this vulnerability could upload ransomware payloads that, upon execution, encrypt the victim’s data, demanding a ransom for decryption keys. This direct association with such high-impact attacks underscores the critical nature of addressing this vulnerability promptly.
Mitigation and Resolution
We have released a patch that addresses this vulnerability. Please update to version 2.34.0 or later immediately to secure your WordPress site. The updated version includes proper file type validation to prevent misuse by unauthenticated users.
Recommendations
- We strongly recommend that all customers apply the latest patch as soon as possible.
- Update the ThemeREX Addons plugin to version 2.34.0 or higher.
- Consider implementing file type restrictions on uploaded files to enhance security.
- Regularly scan your website for vulnerabilities and ensure all plugins are up to date.
- Monitor your site for any unusual activity that might indicate exploitation.
- Utilize a Web Application Firewall (WAF) to provide an additional layer of protection against similar vulnerabilities.
- Inform your IT department or website administrator about the critical nature of this update.
Referencesย
ย