CVE-2021-24220
📋 TL;DR
This vulnerability in multiple Thrive Themes WordPress themes allows attackers to execute arbitrary code on affected websites. By exploiting an insecure REST API endpoint for image compression, attackers can overwrite or create files with malicious PHP code. All WordPress sites using affected Thrive Themes versions before 2.0.0 are vulnerable.
💻 Affected Systems
- Thrive Legacy Rise
- Luxe by Thrive Themes
- Minus by Thrive Themes
- Ignition by Thrive Themes
- FocusBlog by Thrive Themes
- Squared by Thrive Themes
- Voice WordPress theme
- Performag by Thrive Themes
- Pressive by Thrive Themes
- Storied by Thrive Themes
📦 What is this software?
Focusblog by Thrivethemes
Ignition by Thrivethemes
Luxe by Thrivethemes
Minus by Thrivethemes
Performag by Thrivethemes
Pressive by Thrivethemes
Rise by Thrivethemes
Squared by Thrivethemes
Storied by Thrivethemes
Voice by Thrivethemes
⚠️ Risk & Real-World Impact
Worst Case
Complete site takeover, data theft, malware distribution, and persistent backdoor installation leading to full server compromise.
Likely Case
Website defacement, SEO spam injection, credential theft, and installation of cryptocurrency miners or malware.
If Mitigated
Limited impact with proper file permissions, web application firewalls, and regular security monitoring.
🎯 Exploit Status
Actively exploited in the wild since March 2021. Exploitation requires combining with Option Update vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.0
Vendor Advisory: https://thrivethemes.com/security-update/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Appearance > Themes. 3. Update all Thrive Themes to version 2.0.0 or later. 4. Verify updates completed successfully.
🔧 Temporary Workarounds
Disable REST API endpoint
allRemove or restrict access to the vulnerable image compression endpoint
Add to functions.php: remove_action('rest_api_init', 'thrive_register_rest_routes');
Web Application Firewall rule
allBlock requests to the vulnerable REST endpoint
Block POST requests to: /wp-json/thrive/v1/compress_image
🧯 If You Can't Patch
- Switch to a different WordPress theme immediately
- Implement strict file permissions (755 for directories, 644 for files) and disable PHP execution in upload directories
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Appearance > Themes for any Thrive Themes with version below 2.0.0Check Version:
wp theme list --fields=name,version --status=activeVerify Fix Applied:
Confirm all Thrive Themes show version 2.0.0 or higher in WordPress admin📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-json/thrive/v1/compress_image
- File write operations in unexpected directories
- PHP file creation in uploads folder
Network Indicators:
- Outbound connections to suspicious domains after image compression requests
- Unusual POST payloads to WordPress REST API
SIEM Query:
source="web_logs" AND (uri="/wp-json/thrive/v1/compress_image" OR (method="POST" AND uri CONTAINS "wp-json/thrive"))🔗 References
- https://wpscan.com/vulnerability/a2424354-2639-4f53-a24f-afc11f6c4cac
- https://www.wordfence.com/blog/2021/03/recently-patched-vulnerability-in-thrive-themes-actively-exploited-in-the-wild
- https://wpscan.com/vulnerability/a2424354-2639-4f53-a24f-afc11f6c4cac
- https://www.wordfence.com/blog/2021/03/recently-patched-vulnerability-in-thrive-themes-actively-exploited-in-the-wild
