Security News > 2020 > February > Critical Bug in WordPress Theme Plugin Opens 200,000 Sites to Hackers
A popular WordPress theme plugin with over 200,000 active installations contains a severe but easy-to-exploit software vulnerability that, if left unpatched, could let unauthenticated remote attackers compromise a wide range of websites and blogs.
The vulnerable plugin in question is 'ThemeGrill Demo Importer' that comes with free as well as premium themes sold by the software development company ThemeGrill.
ThemeGrill Demo Importer plugin has been designed to allow WordPress site admins to import demo content, widgets, and settings from ThemeGrill, making it easier for them to quickly customize the theme.
According to a report WebARX security company shared with The Hacker News, when a ThemeGrill theme is installed and activated, the affected plugin executes some functions with administrative privileges without checking whether the user running the code is authenticated and is an admin.
WordPress Dashboard automatically notifies admins when a plugin needs to be updated, but you can also choose to have plugin updates automatically installed instead of waiting for manual action.
News URL
http://feedproxy.google.com/~r/TheHackersNews/~3/ea5m7uy5j9k/themegrill-wordpress-plugin.html
Related news
- Critical WordPress Anti-Spam Plugin Flaws Expose 200,000+ Sites to Remote Attacks (source)
- Hackers exploit critical bug in Array Networks SSL VPN products (source)
- 390,000 WordPress accounts stolen from hackers in supply chain attack (source)
- Hackers Exploiting Critical Fortinet EMS Vulnerability to Deploy Remote Access Tools (source)
- Premium WPLMS WordPress plugins address seven critical flaws (source)
- Unpatched critical flaws impact Fancy Product Designer WordPress plugin (source)
- Hackers exploit critical Aviatrix Controller RCE flaw in attacks (source)