Thrive Themes has published a security update for its recently discovered vulnerabilities in Thrive Suite on 25th March 2021. Despite these patches, attackers continue to exploit users who have not yet applied these updates. It is recommended that you take the necessary precautions by ensuring your products are always updated.
Two vulnerabilities were discovered across both these Legacy Themes and plugins, and patches were subsequently released on March 12. The flaws could be chained together to allow unauthenticated attackers to ultimately upload arbitrary files on vulnerable WordPress sites – allowing for website compromise.
How it works
Attackers are using the Unauthenticated Option Update vulnerability to update an option in the database that can then be used by the Unauthenticated Arbitrary File Upload vulnerability to upload a malicious PHP file. The combination of these two vulnerabilities is allowing attackers to gain backdoor access into vulnerable sites to further compromise them
Below is a list of the updated versions:
- Thrive Quiz Builder Version 220.127.116.11
- Thrive Dashboard Version 18.104.22.168
- Thrive Architect Version 22.214.171.124
- Thrive Apprentice Version 126.96.36.199
- Thrive Ultimatum Version 188.8.131.52
- Thrive Leads Version 184.108.40.206
- Thrive Ovation Version 220.127.116.11
- All Themes V2.0.3
- Thrive Headline Optimizer Version 18.104.22.168
- Thrive Comments Version 22.214.171.124
- Thrive Optimize Version 126.96.36.199
- Thrive Themes Builder Version 2.3.1
For more information on these Thrive Themes updates you can follow this URL:
The Guyana National CIRT recommends that users and administrators review this alert and apply updates where necessary.
- Thrive Themes releases security updates (25th March, 2021). Retrieved from Threat Post
- Thrive Themes releases security updates (25th March, 2021). Retrieved from Wordfence