The developers of the ThemeGrill Demo Importer program of WordPress have updated the plug-in, removing a serious vulnerability that provides administrator privileges for unauthenticated users. The attacker can log in as an administrator and restore the entire database of the website to its default state, thus fully controlling these websites.
This plug-in is used to easily import ThemeGrill theme presentation content, gadgets and settings, making it easier for them to quickly customize the theme. The plug-in is currently installed on nearly 200000 WordPress websites, and the most popular version is most vulnerable to attacks.
The vulnerability exists in the ThemeGrill Demo Importer plug-in from 1.3.4 to 1.6.1. According to the statistics of the official WordPress plug-in repository, the most popular versions are 1.4 to 1.6, accounting for more than 98% of the current installation.
The ThemeGrill theme must be in a valid state to erase the database of infected websites. The plug-in is installed, which makes it possible for criminals to attack.
Researchers from WebARX, a WordPress security company, remind that there is also a prerequisite for an administrator account to log in automatically and quickly. The target database has the user "admin". WebARX network security company mainly provides vulnerability detection and virtual patch software, so that websites can avoid the impact of errors in third-party components.
Once the plug-in detects the installed ThemeGrill theme and activates it, it will load the file/includes/class-demo-importer.php, which attaches reset_wizard_actions to admin_init in line 44.
The researcher explained that the hook of "admin_init" runs in the management environment, and can also call "/wp admin/admin ajax. php" of users who do not need to be authenticated.
Lack of authentication makes vulnerability exploitation possible. If there is an "admin" user in the database, an unauthenticated attacker may use this account to log in and delete all WordPress tables that begin with the defined database prefix.
Once all tables have been deleted, it will populate the database with default settings and data, and then set the password of the "admin" user to its previously known password.
WebARX researchers found the vulnerability on February 6 and reported it to developers on the same day. Ten days later, on Sunday, ThemeGrill released a new version to fix the vulnerability.
At the time of writing this article, the number of plug-in downloads after patching was about 23000, which indicates that a large number of websites using ThemeGrill Demo Importer may still be in danger.
In mid January, two vulnerabilities were reported for WordPress Database Reset. When these vulnerabilities are exploited, they will have the same impact as this event. WordPressDatabase Reset is a convenient method for administrators to reset administrators to default values.
One CVE-2020-7048 allows unauthenticated users to reset tables from any database, while the other CVE-2020-7047 grants account administrator privileges with the least privileges.
(Reprinted from FreeBuf. COM)
