Critical WordPress plugin bug lets hackers wipe thousands of websites.

Hanno Labuschagne18 February 2020

A serious WordPress plugin vulnerability could allow hackers to wipe information from thousands of sites, according to a report released by WebARX.

The affected plugin is the ThemeGrill Demo Importer, which is included with commercial themes from website development company ThemeGrill.

The plugin currently has over 200,000 active installations and lets users import demo content, widgets, and theme settings to preview examples of what their web page will look like.

No authentication needed

According to WebARX, the exploit allows any unauthenticated user to wipe a site’s entire database and return it to its default state. Additionally, the user is then automatically logged in as an administrator on the site.

WebARX said that since the exploit does not require any suspicious-looking payload, it is not expected that any firewall will block this by default.

The affected plugin versions run from 1.3.4 to 1.6.1, which means that the vulnerability has been around for three years.

After WebARX released its own patch for the issue to its customers on 6 February, it reported the problem to WordPress.

An update was subsequently rolled out on 16 February to fix the issue. Users who are running the impacted versions of the plugin are encouraged to install this patch.