Two vulnerabilities were discovered across the Legacy Themes and plugins in the popular suite of tools for WordPress websites from the marketing platform Thrive Themes. The purpose of Thrive Themes is to help WordPress websites “convert visitors into leads and customers.” The suite of products affected is called Thrive Suite, in which the Legacy Themes tools are included, along with various other plugins.
The flaws discovered could be chained together to allow attackers to upload arbitrary files on vulnerable WordPress sites, which could lead to website compromise. Patches were released on March 12, however researchers are still seeing a number of exploits. They have issued a warning that more than 100,000 WordPress sites that operate with Thrive Themes products may still be vulnerable to attack. According to Chloe Chamberland, threat analyst: “We are seeing these vulnerabilities being actively exploited in the wild, and we urge users to update to the latest versions available immediately since they contain a patch for these vulnerabilities.”