Thrive Themes has recently patched vulnerabilities in its WordPress plugins and legacy Themes – but attackers are targeting those who haven't yet applied security updates.
The more critical of the two flaws ranks 10 out of 10 on the CVSS scale, and exists in Thrive Themes Legacy Themes. These themes feature the ability to automatically compress images during uploads – however this functionality was insecurely implemented, said Chamberland.
“Thrive ‘Legacy’ Themes register a REST API endpoint to compress images using the Kraken image optimization engine,” said Chamberland. “By supplying a crafted request in combination with data inserted using the Option Update vulnerability, it was possible to use this endpoint to retrieve malicious code from a remote URL and overwrite an existing file on the site with it or create a new file. This includes executable PHP files that contain malicious code.”
Team Showcase, a sister plugin, is also vulnerable to the XSS and PHP object-injection bugs — together they have 66,000 installs.
Popular WordPress security plugin Loginizer patched two security issues, including a SQL Injection. WordPress Loginizer Plugin has issued a security patch for a vulnerability that could allow a hacker to modify a database through an Unauthenticated SQL Injection exploit.
Redux, a popular WordPress plugin with more than 1 million active installations recently patched a vulnerability. The vulnerability allowed an attacker to bypass security measures in a Cross-Site Request Forgery (CSRF) attack.
WordPress is the most preferred blogging platform and CMS. Let's check out the 10 effective uses of WordPress beyond blogging.