WordPress plugin hole could have allowed attackers to wipe websites (19th, February, 2020)

Description

A WordPress plugin with over 100,000 active installations had a hole which could have allowed unauthorized attackers to wipe its users’ blogs clean. The vulnerability emerged this week.

Summary

ThemeGrill is a WordPress theme developer that publishes its own Demo Importer plugin. This plugin imports demo content, widgets, and theme settings. By importing this data with a single button click, it makes demo content easy for non-technical users to import, giving them fully configured themes populated with example posts. Unfortunately, it also makes it possible for unauthenticated users to wipe a WordPress site’s entire database to its default state and then log in as admin, according to a post from web application security vendor WebARX (Critical Issue In ThemeGrill Demo Importer Leads To Database Wipe and Auth Bypass, 2020).  The vulnerability has existed for roughly three years in versions 1.3.4 through 1.6.1, according to the Security Company. The vulnerability affects sites using the plugin that also have a ThemeGrill theme installed and activated.

How does the WordPress vulnerability work?

The problem lies with an authentication bug in code introduced by class-demo-importer.php, a PHP file that loads a lot of the Demo Importer functionality. That file adds a code hook into admin_init, which is code that runs on any admin page.

The hook added into admin_init enables someone who isn’t logged into the site to trigger a database reset, dropping all the tables. All that’s needed to trigger the wipe is the inclusion of a do_reset_wordpress parameter in the URL on any admin-based WordPress page.

Unfortunately for site admins, one of those admin-based WordPress pages is /wp-admin/admin-ajax.php. This page, which loads the WordPress Core, doesn’t need a user to be authenticated when it loads, WebARX explains.

Even more damaging, if there is a user with the name admin, it will log the attacker in using that account so that they can wreak even more havoc.

 

Updates:

WebARX explained that it discovered the issue on 6 February 2020, resending the bad news to ThemeGrill three times through last Friday 14 February. The developer published a patch – version 1.6.2 – on Saturday 15 February saying that it had fixed the issue and thanking WebARX.

Beware, though – there’s another update. ThemeGrill user ‘mauldincultural’ posted on the company’s WordPress support page, explaining that their site had been hacked. 

ThemeGrill support explained that they’d need to upgrade to another version, 1.6.3, released on Tuesday 18 February. This contained the change: “Enhancement – secure reset button with nonce check”. ThemeGrill has pointed out that once you have used the plugin to load your demo content you don’t actually need it, so the best option is to disable or deactivate it altogether.

The Guyana National CIRT recommends users and administration to review this update and apply it where necessary.

 

References