WordPress plugin hole could have allowed attackers to wipe websites

A with over 100,000 active installations had a hole which coould have allowed unauthorised attackers to wipe its users' blogs clean, it emerged this week.

ThemeGrill is a theme developer that publishes its own Demo Importer . As the name suggests, it imports demo content, widgets, and theme settings. By importing this data with a single button click, it makes demo content easy for non-technical users to import, giving them fully configured themes populated with example posts. Unfortunately, it also makes it possible for unauthenticated users to wipe a WordPress site's entire database to its default state and then log in as admin, according to a post from web application security vendor WebARX.

The vulnerability has existed for roughly three years in versions 1.3.4 through 1.6.1, said the security company, and affects sites using the plugin that also have a ThemeGrill theme installed and activated.

The problem lies with an authentication bug in code introduced by class-demo-importer.php, a PHP file that loads a lot of the Demo Importer functionality. That file adds a code hook into admin_init, which is code that runs on any admin page.

The hook added into admin_init enables someone who isn't logged into the site to trigger a database reset, dropping all the tables. All that's needed to trigger the wipe is the inclusion of a do_reset_wordpress parameter in the URL on any admin-based WordPress page.

Unfortunately for site admins, one of those admin-based WordPress pages is /wp-admin/admin-ajax.php. This page, which loads the WordPress Core, doesn't need a user to be authenticated when it loads, WebARX explains.

You might also like

Comments are closed.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. AcceptRead More