WordPress plugin hole could have allowed attackers to wipe websites

March 31, 2020

A WordPress plugin with over 100,000 active installations had a hole which coould have allowed unauthorised attackers to wipe its users’ blogs clean, it emerged this week.

ThemeGrill is a WordPress theme developer that publishes its own Demo Importer plugin. As the name suggests, it imports demo content, widgets, and theme settings. By importing this data with a single button click, it makes demo content easy for non-technical users to import, giving them fully configured themes populated with example posts. Unfortunately, it also makes it possible for unauthenticated users to wipe a WordPress site’s entire database to its default state and then log in as admin, according to a post from web application security vendor WebARX.

The vulnerability has existed for roughly three years in versions 1.3.4 through 1.6.1, said the security company, and affects sites using the plugin that also have a ThemeGrill theme installed and activated.

The problem lies with an authentication bug in code introduced by class-demo-importer.php, a PHP file that loads a lot of the Demo Importer functionality. That file adds a code hook into admin_init, which is code that runs on any admin page.

The hook added into admin_init enables someone who isn’t logged into the site to trigger a database reset, dropping all the tables. All that’s needed to trigger the wipe is the inclusion of a do_reset_wordpress parameter in the URL on any admin-based WordPress page.

Unfortunately for site admins, one of those admin-based WordPress pages is /wp-admin/admin-ajax.php. This page, which loads the WordPress Core, doesn’t need a user to be authenticated when it loads, WebARX explains.

Loading this page with the offending parameter will drop the tables. Even more damaging, if there is a user with the name admin, it will log the attacker in using that account so that they can wreak even more havoc.

WebARX explained that it discovered the issue on 6 February 2020, resending the bad news to ThemeGrill three times through last Friday 14 February. The developer published a patch – version 1.6.2 – on Saturday 15 February saying that it had fixed the issue and thanking WebARX.

Beware, though – there’s another update. On Tuesday, ThemeGrill user mauldincultural posted on the company’s WordPress support page, explaining that their site had been hacked. They updated the Demo Importer to 1.6.2, but:

…this morning our site was down again. Our host was able to retrieve it again, but confirmed it was still an issue with our theme

ThemeGrill support explained that they’d need to upgrade to another version, 1.6.3, released yesterday, Tuesday 18 February. This contained the change: “Enhancement – secure reset button with nonce check.”

In the meantime, the plugin’s usage statistics are a little worrying. The active installs have dipped around 2% since early February as news of the vulnerability spread. Downloads spiked with the release of the new version, which is a positive sign because it shows that people are updating. However, only six in ten installations are using version 1.6. The rest are using 1.5 or earlier. So we may well see a heap of poorly maintained or abandoned sites getting wiped.

As ThemeGrill has pointed out in response to another pwned user, once you’ve used the plugin to load your demo content you don’t actually need it, so the best option is to disable or deactivate it altogether.

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.