Security News > 2020 > February > Flaw in WordPress Themes Plugin Allowed Hackers to Become Site Admin
A serious vulnerability found in a WordPress themes plugin with over 200,000 active installations can be exploited to wipe a website's database and gain administrator access to the site.
ThemeGrill Demo Importer is a popular plugin that allows WordPress website administrators to import demo content, widgets and settings for ThemeGrill themes.
Researchers at web security company WebARX discovered recently that versions 1.3.4 through 1.6.1 of the plugin are affected by a critical vulnerability that allows an unauthenticated attacker to wipe the entire database of a WordPress website.
Oliver Sild, the CEO of WebARX, told SecurityWeek that it's possible that not all WordPress sites on which the ThemeGrill Demo Importer is installed are vulnerable to attacks as their operators may not have used the plugin to actually install a theme - as noted earlier, this is a condition for the exploit to work.
Sild, whose company provides vulnerability detection and virtual patching software to protect websites from third-party component vulnerabilities, noted that exploitation of the ThemeGrill flaw can be automated.