- More than 200,000 websites at the risk of being wiped out
- ThemeGrill Demo Importer plugin in WordPress hosts the vulnerability in its code
- Can lead to database deletion and authentication bypass if exploited
- Versions 1.3.4 to 1.6.1 affected, 16000 attacks already blocked
- Developers fixed the flaw and urged users to update to the latest version
WordPress, the software that fuels most of the websites in the digital world also becomes the most targeted platform for cyberattacks. This time, the threat is not just serious, it’s deadly.
The vulnerability that has been found by WebARX security, is dangerous enough to erase your whole website from the online map.
If you have any knowledge of the previous vulnerabilities related to WordPress, you will know that this one also resides in one of its plugins.
Read the whole article to know what the issue is and make sure you protect your precious online business by taking the correct measures.
Where is this wordpress plugin vulnerability?
ThemeGrill is the web developer that offers commercial themes for WordPress site owners.
One of its plugins is called ThemeGrill Demo Importer which lets users load a demo to guide them with content, widgets and theme settings on their site.
It is this plugin that has the serious ‘wipe site’ vulnerability in its code.
And guess what? It has been there for three long years.
In the recent findings by cybersecurity researchers, it has become clear that if the flaw is exploited, then an attacker can wipe the content of the entire site and set it to default (0) without even having an authentication.
The only condition to trigger the attack is that the website must have a ThemeGrill theme installed and activated on it.
But this is not all about this vulnerability. According to the researchers, an attacker can even get logged in as the site ‘admin’ after they have wiped away the data.
What is the vulnerability?
The plugin calls for a function ( reset_wizard_actions ) once it spots a theme activated by the user.
The function does no verification for the ‘admin’ and thus leads to authentication bypass.
“..only the do_reset_wordpress parameter needs to be present in the URL on any “admin” based page of WordPress, including /wp-admin/admin-ajax.php,” writes WebARX in its report.
The function will then drop all WordPress tables and set the database to default and the admin password to the previous one.
However, in case there is no admin user in the database, then the attacker will not be logged in at all after deleting the database.
This is a critical vulnerability since this plugin has a large number of active installs and hundreds of thousands of websites run the risk getting hacked by remote attackers who don’t even need a malware or payload to wipe off their victim’s entire data.
As soon as it was reported to the developer, the vulnerability was fixed by adding the current_user_can( ‘manage_options’ ) check to the reset_wizard_actions.
Are you affected and what can you do?
The ThemeGrill Demo Importer Plugin has more than 200,000 active installations and WebARX has already warded off 16,000 attacks exploiting this flaw since it was discovered.
They have even released a list of IP addresses engaged in the attacks.
The vulnerable plugin versions are between 1.3.4 and 1.6.1. So, if you are using any of these versions, make sure you update them without fail.
The safe version is 1.6.3 and above. Attackers are always on the lookout of targeting tardy users who don’t hurry up to fix the vulnerabilities.
And in case you are not using the plugin at all, it is better to just delete it.
Also, keep a backup of your website data as a good security measure.
Read the security advisory by ThemeGrill here.
Do you remember the news we covered last year about the two vulnerable plugins, Ultimate Addons for Beaver Builder and Ultimate Addons for Elementor, that let attackers take control of the website?
What do you think about this vulnerability? Let us know your opinion below in the comment section.
Have you come across any such theme or plugin on WordPress that is detrimental to your data? Let your friends and colleagues know about this serious threat and ask them to update their ThemeGrill Demo Plugins ASAP.
Stay tuned, stay safe.