Remote Wipe Plugin Bug Hits 200,000+ WordPress Sites
February 19, 2020
CCME (4607 articles)
Share

Remote Wipe Plugin Bug Hits 200,000+ WordPress Sites

Security researchers are warning of a new plugin vulnerability which is exposing over 200,000 WordPress sites to the risk of being remotely wiped by an attacker.

The problem lies with versions 1.3.4 and above and 1.6.1 and below of the ThemeGrill Demo Importer plugin, according to WebARX.

The firm said that the bug could allow any unauthenticated user to wipe the entire database to its default state and then log in as administrator.

“The prerequisite is that there must be a theme installed and activated that was published by ThemeGrill. In order to be automatically logged in as an administrator, there must be a user called ‘admin’ in the database. Regardless of this condition, the database will still be wiped to its default state,” the firm explained.

“Based on the SVN commit history, this issue has existed in the code for roughly three years, since version 1.3.4.”

WebARX warned that the vulnerability is particularly dangerous as it doesn’t require a suspicious-looking payload to exploit. For that reason, firewalls are not likely to block attacks by default and security admins would need to create a special rule for them to do so.

ThemeGrill is a popular provider of WordPress themes which users can deploy to customize their websites. The plugin in question can be used to demo content, widgets and theme settings quickly and easily.

The vulnerability is the second in the space of a month which could allow attackers to effectively wipe targeted WordPress sites.

Back in January, Wordfence warned of critical flaw CVE-2020-7048 which affects the WP Database Reset plugin that has been installed over 80,000 times.

“Without proper security controls in place, the WP Database Reset plugin contained a serious flaw that allowed any unauthenticated user the ability to reset any table in the database,” the firm explained. “This reset would result in a complete loss of data availability. An attacker could send a simple request and a site would be completely reset to the WordPress standard defaults.”

This post Remote Wipe Plugin Bug Hits 200,000+ WordPress Sites originally appeared on InfoSecurity Magazine.

Read More

Related articles

UNICEF Leaks Personal Data of 8000 Online Learners

UNICEF Leaks Personal Data of 8000 Online Learners

Sydney Airport Gets 24/7 Security Operations Center

Sydney Airport Gets 24/7 Security Operations Center

British Airways Website, Mobile App Breach Compromises 380k

British Airways Website, Mobile App Breach Compromises 380k