The PageLines and Platform drag-and-drop themes for WordPress have recently been patched for a privilege escalation vulnerability and a remote code execution issue discovered by Sucuri during a routine audit. Sucuri is classifying the vulnerabilities as high risk, with a DREAD score of 9/10, and recommends that users update their copies of the themes as soon as possible.
The privilege escalation vulnerability is present in both themes, where a WordPress AJAX hook is used to modify a set of options. “Because all wp_ajax_ hooks are usable by any logged-in users (no matter what privileges they have on the target site), a subscribed user could use this hook to overwrite any options located on WordPress options database table,” Sucuri explained in the advisory.
This makes it possible for an attacker to grant all new users the administrator role. However, a user’s site must be open for registration in order for this kind of attack to be successful.
The free versions of these themes have been downloaded from WordPress.org more than half a million times apiece, so there are likely to be thousands of WordPress users who could potentially be affected. Fortunately, a patch is already available. The WordPress Theme Review team worked quickly to fast-track the two patched versions of the themes, so anyone who has them installed will see an update notice in the WordPress admin. Users who purchased the commercial versions will also see an update available.
If you are currently unable or unwilling to update, a plugin is available that will block exploits for the legacy themes. You can download it from GitHub and install it like any other plugin if you need a quick fix to buy you time to update.
“To clarify, this is ONLY in legacy version of these two PageLines products (Framework and Platform),” PageLines founder Andrew Powers commented on the advisory. “Since this was first reported to us three days ago, we’ve immediately patched those files and updated them on WordPress.org, GitHub and anywhere on PageLines servers.”
So far, Powers has no knowledge of the issue having been exploited. The fact that the danger is limited to sites with open registration should also cut down on the number of vulnerable sites. Now that the security issue is public, it’s imperative that users update immediately.