Security News > 2020 > February > WordPress plugin hole could have allowed attackers to wipe websites
A WordPress plugin with over 100,000 active installations had a hole which coould have allowed unauthorised attackers to wipe its users' blogs clean, it emerged this week.
ThemeGrill is a WordPress theme developer that publishes its own Demo Importer plugin.
It also makes it possible for unauthenticated users to wipe a WordPress site's entire database to its default state and then log in as admin, according to a post from web application security vendor WebARX. The vulnerability has existed for roughly three years in versions 1.3.4 through 1.6.1, said the security company, and affects sites using the plugin that also have a ThemeGrill theme installed and activated.
All that's needed to trigger the wipe is the inclusion of a do reset wordpress parameter in the URL on any admin-based WordPress page.
On Tuesday, ThemeGrill user mauldincultural posted on the company's WordPress support page, explaining that their site had been hacked.