A vulnerability in a plugin for WordPress themes allow remote attack execution, give full administrator rights, and possibly even wipe out the entire website database, according to a report by WebARX.
The vulnerability was discovered in ThemeGrill Demo Importer, a plugin that offers demo options for themes, widgets, and other content that can help customize websites. These contents are sold by ThemeGrill, a web development company.
To facilitate an attack when the plugin is activated, threat actors take advantage of a theme from ThemeGrill that was installed in a website. They then exploit the lack of authentication to gain admin privileges, which is possible as long as there is a user called ‘admin’ in the database. But whether such a user exists or not, the database can still be wiped to a default state.
It was noted that the exploit doesn’t require suspicious-looking payload, making it harder to detect. The researchers believe that the issue had existed for around 3 years, from version 1.3.4 up to version 1.6.1, based on the SVN commit history. ThemeGrill has since patched the vulnerability and released version 1.6.2, while version 1.6.3 has also been released.
The plugin was originally installed in over 200,000 WordPress sites, and the researchers were able to detect 16,000 threats. Upon the release of the report by WebARX, the count dropped to 100,000 as website owners started uninstalling the plugin.
WordPress powers 35% of all websites, making it an attractive target for cybercriminals. These days, a majority of companies across different industries and many individuals have their own websites to promote their products and services. The option to customize these websites through Content Management Systems (CMS) is utilized by many website owners to ensure that their site reflects their brand properly.
However, using CMSs also comes with some risks. Besides exploiting vulnerable plugins WordPress sites can be attacked by hacking admin access, deploying Alfa-Shell, Search Engine Optimization poisoning, and many other methods.