Researchers are urging users of a vulnerable WordPress plugin, ThemeGrill Demo Importer, to update as soon as possible after discovering attackers are actively exploiting a flaw in the plugin.
The ThemeGrill Demo Importer plugin is owned by ThemeGrill, which offers various templates for website outlines. This WordPress plugin helps users import and manage ThemeGrill templates on their sites. As of last week, the plugin had 200,000 active installations. According to WebARX, who discovered the flaw, on Tuesday that number has dipped to 100,000 installs. It is unclear at this time what accounts for the drop in the number of WordPress plugin installs.
Researchers disclosed a flaw in the plugin this week, which allows unauthenticated, remote attackers to execute some administrator functions – without checking if they are an administrator. One such function is the capability to wipe the entire database of the vulnerable website, bringing it to its default state and clearing website databases of existing posts and user roles. And, after carrying out this action, an attacker would also then be logged in as an administrator – giving them complete control over the website.
“This is a serious vulnerability and can cause a significant amount of damage,” according to WebARX researchers in a post this week. “Since it requires no suspicious-looking payload … it is not expected for any firewall to block this by default and a special rule needs to be created to block this vulnerability.”
Versions from 1.3.4 to 1.6.1 are impacted by this flaw. According to the WordPress plugin repository, versions 1.4, 1.5 and 1.6 make up 98.6 percent of active versions of the plugin. Researchers say that the issue has existed in the plugin’s code for about three years (since version 1.3.4).
Researchers discovered the vulnerability on Feb. 5 and reported it to the plugin. On Sunday, ThemeGrill released the new patched version of the plugin, version 1.6.2. However, according to reports, active exploits of the vulnerability have started, with some affected websites showing a WordPress “Hello World” post. The “Hello World” post is a “dummy” post, set by WordPress, as a placeholder post for content upon initial installation.
There's currently a severe vuln in a wordpress plugin called "themegrill demo importer" that resetss the whole database. https://t.co/tT4xiqjna5 It seems attacks are starting: Some of the affected webpages show a wordpress "hello world"-post. /cc @webarx_security
— hanno (@hanno) February 18, 2020
In a message to Threatpost, WebARX confirmed that the vulnerability is being actively exploited in the wild, and said it has blocked over 16,000 attacks against this vulnerability since Feb. 16 (a list of IP addresses actively exploiting the flaw can be found here).
Flaw Technical Details
Researchers said that the prerequisite for an exploit is that there must be a theme installed and activated on the affected websites that was published by ThemeGrill. And, in order to be automatically logged in as an administrator, there must be a user called “admin” in the website’s database.
After the plugin detects that a ThemeGrill theme is installed and activated, it has the capability to load files (called /includes/class-demo-importer.php) which then interact with the admin_init hook. A hook is used as a way for one piece of code to interact or modify another piece of code. Admin_init specifically is used to initialize settings specific to the administrator functions.
The problem specifically stems from the plugin’s admin_init hook calling to /wp-admin/admin-ajax.php, which does not require a user to be authenticated. This issue (which has occurred in other plugins before, including the WP Live Chat Support and others) means that an attacker could merely specially crafted request to the /wp-admin/admin-ajax.php endpoint page and would then be granted access as a user with certain administrative permissions on the website.
“admin_init is a hook that plugins can hook into,” researchers told Threatpost. “It’s executed on all admin screen/scripts. However, this also includes /wp-admin/admin-ajax.php which is also used for calls by unauthenticated users.”
After an attacker gains admin privileges, they could then be in control of the “admin” user object and clear all WordPress tables that start with the defined WordPress database prefix. This would essentially clear the database so that is the website is reset to its default settings and all data in the database is cleared – including all user roles, website post and pages, and more, researchers told Threatpost.
Researchers told Threatpost that the flaw doesn’t yet have a CVE number or CVSS score. Threatpost has also reached out to ThemeGrill for further information but has not yet heard back by publication.
Learn how Operational Technology and Information Technology systems are merging and changing security playbooks in this free Threatpost Webinar. Join us Wednesday, Feb. 19 at 2 p.m. ET when a panel of OT and IT security experts will discuss how this growing trend is shaping security approaches for IoT and 5G rollouts. This webinar is for security and DevOps engineers, IoT edge developers and security executives.