Last Updated:

WordPress plugin can let hackers wipe up to 200,000 sites

WordPress site owners who use commercial themes provided by ThemeGrill are advised to update one of the plugins that come installed with these themes in order to patch a critical bug that can let attackers wipe their sites.

The vulnerability resides in ThemeGrill Demo Importer, a plugin that ships with themes sold by ThemeGrill, a web development company that sells commercial WordPress themes.

The plugin, which is installed on more than 200,000 sites, allows site owners to import demo content inside their ThemeGrill themes so they'll have examples and a starting point on which they can build their own sites.

However, in a report published yesterday, WordPress security firm WebARX says that older versions of the ThemeGrill Demo Importer are vulnerable to remote attacks from unauthenticated attackers.

Remote hackers can send a specially crafted payload to vulnerable sites and trigger a function inside the plugin.

The vulnerable function resets the site's content to zero, effectively wiping the content of all WordPress sites where a ThemeGrill theme is active, and the vulnerable plugin is installed.

Furthermore, if the site's database contains a user named "admin," then the attacker is granted access to that user with full administrator rights over the site.

WebARX says the vulnerability impacts all versions of the ThemeGrill Demo Importer plugin between version 1.3.4 and 1.6.1.

ThemeGrill, the plugin's developer, fixed the bug and released version 1.6.2 over the weekend.

This is the second bug in a WordPress plugin that was disclosed this year that can allow attackers to wipe site databases. Last month, the team at Wordfence revealed a similar issue in the WP Database Reset plugin, installed on more than 80,000 sites.

Other notable WordPress bugs that have been disclosed this year include:

A stored cross-site vulnerability in the GDPR Cookie Consent plugin, used by more than 700,000 sites.
A CSRF-to-RCE vulnerability in the Code Snippets plugin, used by more than 200,000 sites.
An authentication bypass bug in the InfiniteWP plugin, used by more than 300,000 sites.

source: zdnet.com