Hackers can wipe your WordPress site with this plugin flaw
If you use WordPress as a tool to manage the content of your website, we recommend updating a particular plugin on the platform (if in use) right away. Multiple reports have suggested that the tool in question carries a critical vulnerability that hackers can exploit to carry out attacks capable of wiping out websites. Here's all you need to know about it.
Plugin from ThemeGrill carries the flaw
The vulnerability, as ZDNet reports, ties to a plugin called 'ThemeGrill Demo Importer'. It comes as part of the commercial themes sold by ThemeGrill - a popular WordPress developer - to help site owners add demo content and see what the theme purchased by them would actually look like. The tool has already been installed for more than 200,000 websites, according to the outlet.
How the flaw makes websites vulnerable
According to security firm WebARX, the security flaw, present on older versions of ThemeGrill's Demo Importer, makes sites using the plugin vulnerable to remote attacks. They claimed that a hacker sitting anywhere in the world could send a specially-crafted payload to sites using ThemeGrill and enable a specific function within Demo Importer, which could dial the whole site to zero, wiping all its content.
Plus, it also provides access to site
Along with remote wiping, the flaw in Demo Importer also opens a way to gain full control over a vulnerable site. Specifically, if the site's database contains a user named 'admin' then the bug transfers access to that profile to the attacker, giving them full administrator rights over the site. From there, they could use the site any way they want to.
Update to the latest version of ThemeGrill Demo Importer
In order to dodge these issues and keep your site completely safe, update ThemeGrill Demo Importer to the latest available version. The bug exists between version 1.3.4 and 1.6.1, and updating to 1.6.2 or newer iteration will patch the loophole. That said, given the user-base of Demo Importer, we suspect hundreds of thousands of website owners might be vulnerable to this flaw.
