WordPress plugin hole could have allowed attackers to wipe websites
ThemeGrill is a WordPress theme developer that publishes its own Demo Importer plugin. As the name suggests, it imports demo content, widgets, and theme settings. By importing this data with a single button click, it makes demo content easy for non-technical users to import, giving them fully configured themes populated with example posts. Unfortunately, it also makes it possible for unauthenticated users to wipe a WordPress site's entire database to its default state and then log in as admin, according to a post from web application security vendor WebARX.
The vulnerability has existed for roughly three years in versions 1.3.4 through 1.6.1, said the security company, and affects sites using the plugin that also have a ThemeGrill theme installed and activated.
The problem lies with an authentication bug in code introduced by
class-demo-importer.php, a PHP file that loads a lot of the Demo Importer functionality. That file adds a code hook into
admin_init, which is code that runs on any admin page.
The hook added into
admin_init enables someone who isn't logged into the site to trigger a database reset, dropping all the tables. All that's needed to trigger the wipe is the inclusion of a
do_reset_wordpress parameter in the URL on any admin-based WordPress page.
Unfortunately for site admins, one of those admin-based WordPress pages is
/wp-admin/admin-ajax.php. This page, which loads the WordPress Core, doesn't need a user to be authenticated when it loads, WebARX explains.