Security News > 2020 > February > Critical Bug in WordPress Theme Plugin Opens 200,000 Sites to Hackers
A popular WordPress theme plugin with over 200,000 active installations contains a severe but easy-to-exploit software vulnerability that, if left unpatched, could let unauthenticated remote attackers compromise a wide range of websites and blogs.
The vulnerable plugin in question is 'ThemeGrill Demo Importer' that comes with free as well as premium themes sold by the software development company ThemeGrill.
ThemeGrill Demo Importer plugin has been designed to allow WordPress site admins to import demo content, widgets, and settings from ThemeGrill, making it easier for them to quickly customize the theme.
According to a report WebARX security company shared with The Hacker News, when a ThemeGrill theme is installed and activated, the affected plugin executes some functions with administrative privileges without checking whether the user running the code is authenticated and is an admin.
WordPress Dashboard automatically notifies admins when a plugin needs to be updated, but you can also choose to have plugin updates automatically installed instead of waiting for manual action.
News URL
http://feedproxy.google.com/~r/TheHackersNews/~3/ea5m7uy5j9k/themegrill-wordpress-plugin.html
Related news
- Iranian hackers act as brokers selling critical infrastructure access (source)
- LiteSpeed Cache WordPress plugin bug lets hackers get admin access (source)
- Hackers target critical zero-day vulnerability in PTZ cameras (source)
- Urgent: Critical WordPress Plugin Vulnerability Exposes Over 4 Million Sites (source)