To the point:
- There were two flaws found in both the Legacy Themes and Plugins.
- The vulnerabilities could be connected together to allow unauthenticated attackers to upload arbitrary files to WordPress websites that are insecure.
- On March 12, 2021, patches for the vulnerable themes and plugins were released.
The Wordfence Threat Intelligence Team found two recently patched vulnerabilities in Thrive Theme’s “Legacy” Themes and Thrive Theme plugins being actively exploited, which were chained together to allow unauthenticated attackers to upload arbitrary files on insecure WordPress websites. Thrive Theme products are used by over 100,000 WordPress sites, and they may also be vulnerable.
Thrive Themes provides a number of products designed to help WordPress sites. Its Thrive Suite, the range includes Legacy Themes – tools for changing the appearance and style of WordPress websites, as well as various plugins. Thrive Architect, which helps site owners build website landing pages, and Thrive Comments, which helps them implement interactive comment sections.
On March 12, two vulnerabilities were found in both these Legacy Themes and plugins, and patches were released. The flaws could be linked together to allow unauthenticated attackers to upload arbitrary files to insecure WordPress websites, potentially compromising the website.
The following versions of Thrive Themes Legacy Themes and plugins are affected:
- All Legacy Themes, including Rise, Ignition, and others | Version < 2.0.0
- Thrive Optimize | Version < 22.214.171.124
- Thrive Comments | Version < 126.96.36.199
- Thrive Headline Optimizer | Version < 188.8.131.52
- Thrive Themes Builder | Version < 2.2.4
- Thrive Leads Version | < 184.108.40.206
- Thrive Ultimatum Version | < 220.127.116.11
- Thrive Quiz Builder Version | < 18.104.22.168
- Thrive Apprentice | Version < 22.214.171.124
- Thrive Architect | Version < 126.96.36.199
- Thrive Dashboard | Version < 188.8.131.52
For the time being, we recommend that anyone using all of the Thrive Themes “legacy” themes update to version 2.0.0 as soon as possible, and anyone using any of the Thrive plugins update to the most recent version available for each plugin.
Our Threat Intelligence Team discovered 2 recently patched vulnerabilities chained together in an active attack on Thrive Themes' "Legacy" Themes & Thrive Themes plugins. Details on what you need to do to protect your site on the official Wordfence blog. https://t.co/m9cG0YJ9aT— Wordfence (@wordfence) March 24, 2021