Urgent: Patch Critical Vulnerabilities in Widely-Used REHub WordPress Theme & Plugin
The security researcher Rafie Muhammad has found multiple high-severity vulnerabilities in the REHub WordPress theme (premium version) and the associated REHub Framework plugin. These weaknesses, if left unpatched, could have devastating consequences for businesses and individuals running websites built on this popular platform.
With over 35,000 sales, this premium theme has cemented its place as a go-to solution for online businesses aiming to create price comparison and multi-vendor marketplace websites. Bundled with the indispensable REHub Framework plugin, this theme offers a modern multipurpose hybrid design catering to various online business models.
Understanding the Risks
- Exploiting File Inclusion: One critical issue (CVE-2024-31231) is a Local File Inclusion flaw. Attackers could leverage this to execute their malicious code on a website’s server, potentially gaining complete control and causing widespread damage.
- Hijacking Your Database: Two SQL Injection vulnerabilities (CVE-2024-31233, CVE-2024-31234) were also discovered, enabling attackers to insert malicious commands to extract, modify, or delete sensitive information stored within your WordPress database. This could lead to data theft, customer information leaks, or even website defacement.
Popularity Magnifies Risk
The REHub theme and its bundled plugin are widely used due to their versatility for price comparison and multi-vendor websites. This means a large number of sites could be vulnerable if not updated. Remember, cybercriminals often target popular platforms for the broadest possible reach.
Immediate Action Required
- Patch Without Delay: If your website utilizes the REHub theme, immediately update to version 19.6.2 or later. These updates contain the necessary security fixes.
- Review Website Logs: Even after updating, carefully scrutinize your website’s logs for any signs of intrusion attempts that may have happened before the patch.
- Consider Professional Help: If you’re unsure or notice anything suspicious, consider contacting a WordPress security specialist for a thorough assessment.
