Critical Bug Found in Wordpress Theme Plugin ,Leaving over 200,000 Site at Risk

An significant but easy to exploit software weakness is a well-known WordPress theme plugin with more than200,000 active installations that may compromise a wide range of websites and blogs if left unchecked.

The ThemeGrill Demo Importer plugin enables WordPress administrators to import demo content, widgets and ThemeGrill settings to help them customize the issue quickly.

According to the webARX security company reported with The Hackers Review the plug-in executes functions without checking whether the user executing the code is authenticated and is an administrative one if a ThemeGrill theme is installed and enabled.

The defect may eventually allow unauthenticated remote attackers to remove the entire database of targeted sites as default, and then log in as administrator, allowing them to take full control over the sites.

The vulnerabilities affect ThemeGrill Demo Importer plugin version 1.3.4 to 1.6.1 all released in the last three years, according to WebARX researcher, are present in a URL of any "admin"- based WordPress website, including /wp-admin / admin-ajax.php," which has no authentisation.

This is a serious weakness and can cause considerable harm. Because no suspect payload is needed, it is not intended to block this by design with any firewall and a special rule must be developed that will block this vulnerability, "said WebARX scientists.

This vulnerability was informed responsibly by WebARX, which enables vulnerability detection and virtual patching software to avoid websites being exposed to third-party components.

WordPress Dashboard automatically notifies administrators when the plugin needs to be updated, but instead of waiting for treatment, you can also choose to install plugin updates automatically.

Previous Post Next Post