Is This Spam Post Creation Vulnerability in Themify Builder What a Hacker Would Be Interested In?
On Wednesday, we had an odd request to our website from an IP address that is being reported as being used for malicious attacks against WordPress websites. The request was trying to access an AJAX accessible action named “tb_optin_subscribe”. The action was sent as POST input, with no other POST input or GET input. We could only find one WordPress plugin that registers that action. That plugin being the Themify Builder. We don’t use that plugin, so there isn’t a legitimate reason for that request.
Looking at the relevant function ajax_subscribe() in the file /includes/optin-services/base.php), we didn’t see any obvious reason a hacker would be interested in it. The code looks to simply pass information along to Newsletter services (MailChimp and others). Seeing as no other GET or POST input was sent with the request, abusing that functionality didn’t seem like a likely explanation. [Read more]