Multiple vulnerabilities in Workreap theme by Amentotech

Harald Eilertsen posted: " Recently the Jetpack team found some infected files in one of our hosted customers' sites, and quickly traced the source of infection back to the Workreap theme by Amentotech. We started an investigation and uncovered a number of vulnerable AJAX endpoint" New post on Jetpack: WordPress Security, Performance, and Growth Multiple vulnerabilities in Workreap theme by Amentotech by Harald Eilertsen Recently the Jetpack team found some infected files in one of our hosted customers' sites, and quickly traced the source of infection back to the Workreap theme by Amentotech. We started an investigation and uncovered a number of vulnerable AJAX endpoints in the theme; the most severe of these was an unauthenticated unvalidated upload vulnerability potentially leading to remote code execution and a full site takeover. We reported the vulnerabilities to the Amentotech team via the Envato Helpful Hacker program, and the issues were addressed promptly by them. Version 2.2.2 of the theme was released on June 29, 2021 that fixes the found vulnerabilities. TL;DR Due to the seriousness of the vulnerabilities, we highly recommend all users of the Workreap theme to upgrade to version 2.2.2 or later as soon as possible.  Download the upgrade from the theme website and install it manually, or upgrade automatically via the Envato market plugin. Read more of this post Harald Eilertsen | July 7, 2021 at 9:00 am | Tags: Jetpack, Security, WordPress | Categories: Vulnerabilities | URL: https://wp.me/p1moTy-xxd Unsubscribe to no longer receive posts from Jetpack: WordPress Security, Performance, and Growth. Change your email settings at Manage Subscriptions. Trouble clicking? Copy and paste this URL into your browser: http://jetpack.com/2021/07/07/multiple-vulnerabilities-in-workreap-theme/ Thanks for flying with WordPress.com