Using Thrive Themes on your WordPress site?
Do this: Apply the latest WordPress Thrive Themes security updates.
Why: Attackers are actively exploiting two (2) recently-patched vulnerabilities in the popular WordPress marketing platform: Thrive Themes. The noted vulnerabilities allow for attackers compromise websites via an arbitrary file upload.
The following Thrive Themes themes and plugins are known to be vulnerable:
- All Legacy Themes, including Rise, Ignition, and others | Version < 2.0.0
- Thrive Optimize | Version < 126.96.36.199
- Thrive Comments | Version < 188.8.131.52
- Thrive Headline Optimizer | Version < 184.108.40.206
- Thrive Themes Builder | Version < 2.2.4
- Thrive Leads Version | < 220.127.116.11
- Thrive Ultimatum Version | < 18.104.22.168
- Thrive Quiz Builder Version | < 22.214.171.124
- Thrive Apprentice | Version < 126.96.36.199
- Thrive Architect | Version < 188.8.131.52
- Thrive Dashboard | Version < 184.108.40.206
Still Using SolarWinds Orion?
Do this: Upgrade to Orion Platform >= 2020.2.5
Why: Attackers There are four vulnerabilities being exploited, two of which result in RCE (JSON deserialization vuln, Orion Job Scheduler RCE). The other two are less severe but patched in 2020.2.5 as well. Here are the CVEs:
- CVE 2021-3109 (Medium)
- CVE 2021-35856 (High)
- CVE 2021-PENDING RCE in JSON Deserialization(Critical)
- CVE 2021-PENDING Orion Job Scheduler RCE(High)
Using Linux (kernel < 5.11.8)?
Do this: Upgrade your Debian and Red Hat-based distros, additional distros should be patched soon.
Why: Remember Spectre and Meltdown back in 2018? Like a bad penny, they are back in the news with CVEs that can allow access to kernel memory, though the practical implementation of these attacks limits their effectiveness to users of the same system. Here are the CVEs:
- CVE 2020-27170 (Medium)
- CVE 2020-27171 (Medium)
Using an Apple Device with iOS, iPadOS, watchOS?
Do this: Update as soon as convenient.
Why: Like most Apple security updates, it's sparse on details but the risk is that of "universal cross site scripting" due to a flaw in the way the OSes process WebKit instructions.
Additional Info: https://support.apple.com/en-us/HT212257
Running a System/Service that Uses OpenSSL?
Do this: Update to OpenSSL v1.1.1k as soon as possible.
Why: Two vulnerabilities have been discovered in the open source software by Nokia and Akamai, including a DoS vuln and a certificate bypass vulnerability, respectively. Here are the CVEs:
- CVE 2021-3449 (High)
- CVE 2021-3450 (High)
Send Us Your Comments
What did you think of this article? Send us a note to let us know what you liked, would like to see more of, or what we can do better. And don't be surprised if we reach back out with a small 'thank you' gift for your feedback.