A zero-day vulnerability in a WordPress plugin called ThemeREX Addons which has been installed in thousands of sites, is found to be actively exploited by attackers to create user accounts with admin rights and thereby take complete control of the vulnerable website.
According to Wordfence, the WordPress site security firm, the plugin is installed on at least 44,000 websites.
ThemeRex is the company behind the WordPress plugin and it has more than 466 commercial WordPress themes and templates for sale that also has the ThemeREX Addons plugin.
The company states that more than 30,000 customers including some of the world’s top brands and businesses use their Premium WordPress themes to power their websites.
The bug lies in a WordPress REST-API endpoint registered by the plugin that lets any PHP function to be executed without first checking if requests are received from a user with administrative permissions.
Wordfence threat analyst Chloe Chamberland states that this flaw allows attackers to remotely execute code on a site with the plugin installed, including the ability to execute code that can inject administrative user account.
The ThemeREX Addons plugin vulnerability has not yet been patched by the developer. Since this vulnerability is being actively exploited, the users are recommended to temporarily remove the ThemeREX Addons plugin if they are running a version greater than 1.6.50 until a patch is released.
The company has not responded anything regarding the exploitation so far.