HELLO WORLD –
Flaw in ThemeGrill plugin lets attackers wipe sites clean and possibly take them over.
The flaw is in the ThemeGrill Demo Importer
“There’s currently a severe vuln in a wordpress plugin called” themegrill demo importer “that resets the whole database,” Böck ” wrote. “ https://webarxsecurity.com/critical-issue-in-themegrill -demo-importer / It seems attacks are starting: Some of the affected webpages show a wordpress’ hello world’-post. / cc If you use this plugin and your webpage hasn ‘t been deleted yet consider yourself lucky. And remove the plugin. (Yes, remove it, don’t just update.) “
Hello, cruel world
The “Hello World” message is the default placeholder displayed on WordPress sites when the open source content-management system is first installed or when it’s wiped clean. Böck told me that attackers appear to be exploiting the ThemeGrill vulnerability in hopes of gaining administrative control over affected websites. Website takeovers only occur when a vulnerable site has an account with the name “admin.” In those cases, after hackers exploit the vulnerability and wipe clean all data, they are automatically logged in as a user that has administrative rights.
“The thing is, in most cases you get ‘only’ a database reset, ie that’s not really useful for an attacker, but if a user ‘admin’ exists, the attacker can take that over, “he said in a direct message. “But you don’t know that in advance. Therefore I assume attackers will just try and leave a lot of devastated WordPress installations behind while hijacking the few where this attack works.”
The ThemeGrill Demo Importer is used to automatically import other plugins available from Web development company https://themegrill.com/
According to WebARX, the vulnerability has been active for about three years and resides in versions from 1.3.4 through 1.6. 1. The fix is available in version 1.6.2, although a newer version (known as 1.6.3) became available in the past (hours.) Failure to authenticate
The bug stems from a failure to authenticate users before allowing them to carry out privileged administrative commands. Hackers can abuse this failure by sending Web requests that contain specially crafted text strings.
“This is a serious vulnerability and can cause a significant amount of damage,” WebARX researchers wrote in this weekend’s disclosure. “Since it requires no suspicious-looking payload just like our previous finding in InfiniteWP , it is not expected for any firewall to block this by default, and a special rule needs to be created to block this vulnerability. “
Specifically, the vulnerability allows attacksers to delete all tables and populate the database with default settings and data. Accounts named “admin,” assuming any exist, are set to their previously known password. In the event accounts named admin exist, the attacker will find themselves logged in with administrative rights.
WebARX researchers discovered the vulnerability and reported it to ThemeGrill developers on February 2. The plugin developer did not issue a fix until Sunday. Websites that use ThemeGrill should update immediately. Better yet, as Böck recommended, they should uninstall the plugin altogether. The vulnerability is distinct from another bug reported over the weekend in the WordPress plugin wpCentral
. That flaw allows untrusted users to escalate privileges.
GIPHY App Key not set. Please check settings