Cyber criminals are reportedly exploiting vulnerability in a WordPress plugin that allows them to erase website databases, and some entire websites have been seized.
According to website security firm WebARX, the ThemeGrill Demo Importer plugin was the culprit, and it had more than 200,000 active installations, however that has since dropped to about 100,000 as news of the vulnerability spread.
Last week, WebARX reported that a vulnerability allows any unauthenticated user to wipe the entire database to its default state after which they are automatically logged in as an administrator.
Alarmingly, this vulnerability in the code has existed for three years, according to WebARX. If a theme is installed and activated that was published by ThemeGrill and an active user is called “admin” in the database, the vulnerability can be exploited.
The patch can be found here.
WebARX explains the technical details:
Once the plugin detects that a ThemeGrill theme is installed and activated, it loads the file /includes/class-demo-importer.php which hooks reset_wizard_actions into admin_init on line 44.
The admin_init hook runs not only in the admin environment but also on calls to /wp-admin/admin-ajax.php which does not require a user to be authenticated.
Here we see that there is no authentication check and only the do_reset_wordpress parameter needs to be present in the URL on any “admin” based page of WordPress, including /wp-admin/admin-ajax.php.
If we are currently not logged in, it will retrieve the “admin” user object from WordPress and then drop all WordPress tables that start with the defined WordPress database prefix.
Once all tables have been dropped, it will populate the database with the default settings and data after which it will set the password of the “admin” user to its previously known password.
However, this does not matter since we are automatically logged in as “admin” near the end of the function. If the “admin” user does not exist in the database then the users’ table will remain empty and you will not be automatically logged in as any user.
WebARX says it has blocked more than 16,000 attacks against this vulnerability since Feb. 16. since ThemeGrill released a patch to fix the issue.
WordPress users using the plugin are advised to install the update immediately, as attackers often monitor change logs to see what was fixed and target users of the old software.