What is zero-day vulnerability? 

"zero-day" attacks are attacks that specifically target unpublished vulnerabilities or complete patches of WordPress websites.

Attack on WordPress website taking advantage of zero-day vulnerabilities is a major concern of enterprises

Hackers exploit a zero-day vulnerability in WordPress plugin to create fake admin accounts

Some cyberattacks were discovered while targeting Wordpress websites with ThemeREX Addons plugin installed.

Hackers are exploiting a zero-day vulnerability in a WordPress plugin created by ThemeREX, which is also the name of a company that sells WordPress themes.

These attacks, discovered on February 18, 2020 by Wordfence, a company that provides web application firewall services (WAF) for WordPress websites.

Hackers target ThemeREX Addons, a WordPress plugin that comes pre-installed on all ThemeREX commercial WordPress themes.

The role of this plugin is to help buyers of ThemeREX to set up their new websites and control various theme features. Wordfence estimates this plugin has been installed on more than 44,000 websites.

According to WordPress security company, this plugin works by setting up an endpoint of the WordPress REST-API but does not test those commands sent to the REST API coming from authenticated users (such as: site owner).

Chloe Chamberland, an analysis of cybersecurity threats at Wordfence, said: "This means that remote control code can be executed by any visitor, even if those people are there. unauthorized access to the administration page of the website ". Chloe Chamberland added: "The most worrying thing we encounter is that the likelihood of being hacked is very high, when a new admin user is created, there may be full control over the site."

Chamberland said: "We urge users to temporarily remove the ThemeREX Addons plugin if you're running a version higher than 1.6.50 until the patch is released."

The 2nd destructive attack

Attacks on websites that run the ThemeREX Addons plugin have not only just happened for the first time, but have been detected since the previous day.

The second attack on WordPress sites is said to be targeting websites using ThemeGrill Demo Importer, a plugin whose themes are distributed by ThemeGrill, which is another WordPress theme provider on the market.

However, these attacks are considered destructive attacks on enterprise websites, instead of only partially attacking the website like previous cybercriminals or Botnets. According to reports posted on Twitter, hackers used an error in the ThemeGrill plugin to delete the database and reset WordPress sites to their default state. More than 200,000 WordPress websites have been identified as using this ThemeGrill plugin.

In addition to resetting WordPress websites to their original defaults, some hackers want to retain full administrative rights on the website.

These are called "1-day" attacks, and they ended soon after the patch was released.

Besides, attacks on ThemeREX are also known as "zero-day" attacks. These are attacks specifically aimed at exploiting unpublished or unpatched vulnerabilities.

The recommended solution is that when a vulnerability is published, immediately disable the plugin until it has a published patch

Cloud WAF - Solution for comprehensive website protection

Prevent any exploitation of vulnerabilities to sabotage your website. Combining the power of Web Application Firewall with Multi CDN system and artificial intelligence technology, creating a comprehensive website protection solution on cloud platform, helping to prevent attacks from entering holes completely. web vulnerabilities, DDoS attacks, Botnet, Crawler attacks and other potential threats from outside.

-------

VNETWORK

Website: https://vnetwork.vn

Email: contact@vnetwork.vn

Hotline: (028) 7306 8789