Security News > 2021 > March > Hackers Start Exploiting Recent Vulnerabilities in Thrive Theme WordPress Plugins
Over 100,000 WordPress websites could be exposed to attacks targeting a couple of recently addressed vulnerabilities affecting Thrive Theme plugins, warns the Wordfence Threat Intelligence Team at WordPress security company Defiant.
The Thrive Themes represent a collection of themes and plugins that provide WordPress administrators with the means to quickly customize their websites.
The most important of the bugs is a critical unauthenticated arbitrary file upload and option deletion vulnerability that affects all Thrive Theme's Legacy Themes.
The two security holes can be chained together to deploy malicious code onto a vulnerable website, through a REST API endpoint that Thrive Legacy Themes register to compress images.
The security researchers say that attackers are already exploiting the two flaws in live attacks, and that more than 100,000 WordPress sites that rely on Thrive Theme products may be exposed to compromise.
"For the time being, we urge that site owners running any of the Thrive Themes"legacy" themes to update to version 2.0.0 immediately, and any site owners running any of the Thrive plugins to update to the latest version available for each of the respective plugins," the researchers conclude.