‘ThemeGrill Demo Importer’ is a popular WordPress theme plugin that has over 200,000 installations. It has recently been discovered that the plugin contains a significant vulnerability that could allow unauthenticated cybercriminals to gain control over numerous websites and blogs if they are unpatched. It is discovered that the vulnerability has existed in the ThemeGrill plugin for the past three years starting from version 1.3.4 up to 1.6.1. 98.6 percent of active versions of the WordPress plugin involves versions 1.4, 1.5 and 1.6.
ThemeGrill Demo Importer which is developed by the software development company, ThemeGrill, enables WordPress site admins to add images, widgets and demo content which makes it easier to customize the themes.
According to the cyber-security company, WebARX, the vulnerability in the WordPress plugin grants administrative permissions and functions without verifying whether the user is an admin or not. This flaw enables unverified attackers to delete the entire database of vulnerable websites after that, the attackers will be authenticated as an admin enabling them to gain control over the websites. The prior condition for a website to be exploited is that a ThemeGrill-published theme has to be installed and activated on the website. Some websites have shown signs of the exploit of the vulnerability by displaying the WordPress “Hello World” post. After attackers have utilized the flaw, the website database will be filled with default settings and data.
Since the vulnerability does not call for a suspicious-looking payload, as a result, firewalls are not capable to block it by default and a special rule has to be developed to block this vulnerability. It is reported that the vulnerability does not contain a CVE number or CVSS score yet.
On February 18, 2020, it was reported the number of the plugin installations has decreased to 100,000. It suggests that many people have uninstalled the WordPress plugin based on the WordPress plugin repository statistics.