Critical Bug in WordPress Plugin Opens 200,000 Sites to Hackers
Feb 18, 2020
Many of us know of and probably use WordPress and we all know about the ease of installing any plugin you like to add extra functionality to your website. However, WordPress also offer theme plugins to allow you to change the style of your website. A popular WordPress theme plugin with over 200,000 active installations contains a severe but easy-to-exploit software vulnerability that, if left unpatched, could let unauthenticated remote attackers compromise a wide range of websites and blogs.
The vulnerable plugin in question is 'ThemeGrill Demo Importer' that comes with free as well as premium themes sold by the software development company ThemeGrill.
ThemeGrill Demo Importer plugin has been designed to allow WordPress site admins to import demonstration content, widgets, and settings from ThemeGrill, making it easier for them to quickly customize the theme.
What could an attacker do?
When a ThemeGrill theme is installed and activated, the affected plugin executes some functions with administrative privileges without checking whether the user running the code is authenticated and is an admin.
The flaw could eventually allow unauthenticated remote attackers to wipe the entire database of targeted websites to its default state, after which they will also be automatically logged in as an administrator, allowing them to take complete control over the sites.
Here we see, in the screenshot above, that there is no authentication check, and only the do_reset_wordpress parameter needs to be present in the URL on any 'admin' based page of WordPress, including /wp-admin/admin-ajax.php.
This vulnerability affects ThemeGrill Demo Importer plugin version 1.3.4 up to 1.6.1, all released in the last 3 years.
This is a serious vulnerability and can cause a significant amount of damage. Since it requires no suspicious-looking payload, it is not expected for any firewall to block this by default, and a special rule needs to be created to block this vulnerability.
What happens now?
This vulnerability was responsibly reported to ThemeGrill developers, who then released a patched version 1.6.2 yesterday. Please check to see if this patch is available and install it as soon as possible.
The WordPress Dashboard automatically notifies administrators when a plugin needs to be updated, but we recommend that you choose to have plugin updates automatically installed instead of waiting for manual action.
Follow Us
Be the first to know
You might also like
SMEs are a true economic powerhouse in the UK. Although many of these companies believe that they are too small to be attacked by cyber criminals, almost half of all cyber attacks in the world target this kind of business.
Since 2021, the British government have been debating a new legislation to make the internet a safer environment for everyone. Here's what you need to know.
The Christmas period is almost upon us – one thing is for sure, with the current status of COVID-19 and increasing restrictions, this may well be another Christmas spent at home for many.