A fix is available, so you may want to make sure that you run the plugin’s latest version
A popular WordPress theme plugin that’s installed on some 200,000 websites has been found to contain a serious vulnerability that, if abused, could allow remote attackers to wipe the sites and gain admin access to them.
Discovered by website security outfit WebARX, the security flaw affects the ThemeGrill Demo Importer plugin, which comes installed with site themes designed by web development company ThemeGrill. WordPress website admins can use the plugin to import demo content, widgets and settings and easily customize their site’s theme.
For three years, however, the plugin suffered from a security hole that left the sites open to remote attacks. In versions 1.3.4 up to 1.6.1, “there is a vulnerability that allows any unauthenticated user to wipe the entire database to its default state after which they are automatically logged in as an administrator,” reads the report.
“In order to be automatically logged in as an administrator, there must be a user called ‘admin’ in the database. Regardless of this condition, the database will still be wiped to its default state,” said the researchers. The exploit only works if the plugin is activated.
Either way, the firm stressed that the exploit doesn’t require any suspicious-looking payload – similarly to the exploit abusing a critical vulnerability in the InfiniteWP Client and WP Time Capsule plugins that was disclosed five weeks ago.
WebARX said that it discovered and reported the latest security hole to the tool’s developer ..
Support the originator by clicking the read the rest link below.
