Charles Sweethill

**Name of the Vulnerable Software and Affected Versions** Fancy Product Designer versions prior to 4.6.9 **Description** The issue allows unauthenticated attackers to upload arbitrary files, resulting in remote code execution. **Recommendations** For versions prior to 4.6.9, update to version 4.6.9 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Thrive Optimize WordPress plugin versions prior to 1.4.13.3 Thrive Comments WordPress plugin versions prior to 1.4.15.3 Thrive Headline Optimizer WordPress plugin versions prior to 1.3.7.3 Thrive Leads WordPress plugin versions prior to 2.3.9.4 Thrive Ultimatum WordPress plugin versions prior to 2.3.9.4 Thrive Quiz Builder WordPress plugin versions prior to 2.3.9.4 Thrive Apprentice WordPress plugin versions prior to 2.3.9.4 Thrive Visual Editor WordPress plugin versions prior to 2.6.7.4 Thrive Dashboard WordPress plugin versions prior to 2.3.9.3 Thrive Ovation WordPress plugin versions prior to 2.4.5 Thrive Clever Widgets WordPress plugin versions prior to 1.57.1 Rise by Thrive Themes WordPress theme versions prior to 2.0.0 Ignition by Thrive Themes WordPress theme versions prior to 2.0.0 Luxe by Thrive Themes WordPress theme versions prior to 2.0.0 FocusBlog by Thrive Themes WordPress theme versions prior to 2.0.0 Minus by Thrive Themes WordPress theme versions prior to 2.0.0 Squared by Thrive Themes WordPress theme versions prior to 2.0.0 Voice WordPress theme versions prior to 2.0.0 Performag by Thrive Themes WordPress theme versions prior to 2.0.0 Pressive by Thrive Themes WordPress theme versions prior to 2.0.0 Storied by Thrive Themes WordPress theme versions prior to 2.0.0 Thrive Themes Builder WordPress theme versions prior to 2.2.4 Description: The issue concerns a REST API endpoint associated with Zapier functionality, which was intended to require an API key for access. However, in vulnerable versions, it was possible to access this endpoint by supplying an empty `api key` parameter if Zapier was not enabled. This allowed attackers to add arbitrary data to a predefined option in the `wp options` table. Recommendations: Update Thrive Optimize WordPress plugin to version 1.4.13.3 or later. Update Thrive Comments WordPress plugin to version 1.4.15.3 or later. Update Thrive Headline Optimizer WordPress plugin to version 1.3.7.3 or later. Update Thrive Leads WordPress plugin to version 2.3.9.4 or later. Update Thrive Ultimatum WordPress plugin to version 2.3.9.4 or later. Update Thrive Quiz Builder WordPress plugin to version 2.3.9.4 or later. Update Thrive Apprentice WordPress plugin to version 2.3.9.4 or later. Update Thrive Visual Editor WordPress plugin to version 2.6.7.4 or later. Update Thrive Dashboard WordPress plugin to version 2.3.9.3 or later. Update Thrive Ovation WordPress plugin to version 2.4.5 or later. Update Thrive Clever Widgets WordPress plugin to version 1.57.1 or later. Update Rise by Thrive Themes WordPress theme to version 2.0.0 or later. Update Ignition by Thrive Themes WordPress theme to version 2.0.0 or later. Update Luxe by Thrive Themes WordPress theme to version 2.0.0 or later. Update FocusBlog by Thrive Themes WordPress theme to version 2.0.0 or later. Update Minus by Thrive Themes WordPress theme to version 2.0.0 or later. Update Squared by Thrive Themes WordPress theme to version 2.0.0 or later. Update Voice WordPress theme to version 2.0.0 or later. Update Performag by Thrive Themes WordPress theme to version 2.0.0 or later. Update Pressive by Thrive Themes WordPress theme to version 2.0.0 or later. Update Storied by Thrive Themes WordPress theme to version 2.0.0 or later. Update Thrive Themes Builder WordPress theme to version 2.2.4 or later.

Name of the Vulnerable Software and Affected Versions: Thrive “Legacy” Rise by Thrive Themes WordPress theme versions prior to 2.0.0 Luxe by Thrive Themes WordPress theme versions prior to 2.0.0 Minus by Thrive Themes WordPress theme versions prior to 2.0.0 Ignition by Thrive Themes WordPress theme versions prior to 2.0.0 FocusBlog by Thrive Themes WordPress theme versions prior to 2.0.0 Squared by Thrive Themes WordPress theme versions prior to 2.0.0 Voice WordPress theme versions prior to 2.0.0 Performag by Thrive Themes WordPress theme versions prior to 2.0.0 Pressive by Thrive Themes WordPress theme versions prior to 2.0.0 Storied by Thrive Themes WordPress theme versions prior to 2.0.0 Description: The issue allows an attacker to supply a crafted request to a REST API endpoint, which is used to compress images using the Kraken image optimization engine. This can be combined with data inserted using the Option Update vulnerability to retrieve malicious code from a remote URL and overwrite an existing file on the site or create a new file, including executable PHP files containing malicious code. Recommendations: For Thrive “Legacy” Rise by Thrive Themes WordPress theme version prior to 2.0.0, update to version 2.0.0 or later. For Luxe by Thrive Themes WordPress theme version prior to 2.0.0, update to version 2.0.0 or later. For Minus by Thrive Themes WordPress theme version prior to 2.0.0, update to version 2.0.0 or later. For Ignition by Thrive Themes WordPress theme version prior to 2.0.0, update to version 2.0.0 or later. For FocusBlog by Thrive Themes WordPress theme version prior to 2.0.0, update to version 2.0.0 or later. For Squared by Thrive Themes WordPress theme version prior to 2.0.0, update to version 2.0.0 or later. For Voice WordPress theme version prior to 2.0.0, update to version 2.0.0 or later. For Performag by Thrive Themes WordPress theme version prior to 2.0.0, update to version 2.0.0 or later. For Pressive by Thrive Themes WordPress theme version prior to 2.0.0, update to version 2.0.0 or later. For Storied by Thrive Themes WordPress theme version prior to 2.0.0, update to version 2.0.0 or later.