Hackers have been actively exploiting a critical vulnerability in a WordPress plug-in that allows them to completely clean up all website databases and, in some cases, take complete control of the affected websites.
The flaw is in the ThemeGrill Demo Importer installed on more than 100,000 websites and was disclosed last weekend by the security company of the WebARX website. Today, WebArx reported that the flaw was still being exploited, with nearly 17,000 attacks blocked to date. Hanno Bck, a journalist working at Golem.de, had seen active attacks several hours earlier and reported on Twitter.
There's currently a severe vuln in a wordpress plugin called "themegrill demo importer" that resetss the whole database. https://t.co/tT4xiqjna5 It seems attacks are starting: Some of the affected webpages show a wordpress "hello world" -post. / cc @webarx_security
– hanno (@hanno) February 18, 2020
Currently, there is a major problem with a wordpress plug-in called "theme demo importer" that redefines the entire wordpress database, "wrote Bck.
https://webarxsecurity/critical-issue-in-themegrill-demo-importer/ It seems that the attacks are starting: Some of the affected pages show a wordpress post with the message "ol mundo". If you use this plug-in and your web page has not yet been deleted, consider yourself lucky. Remove the plug-in as soon as possible. (REMOVE! There's no point in updating it)
The message "Hello World" is the default displayed on websites that use WordPress when the open source content management system is installed for the first time or when cleaned.
Hackers appear to be exploiting the ThemeGrill vulnerability in the hope of gaining administrative control over the affected sites. Site purchases only occur when a vulnerable site has an account named "admin". In such cases, after hackers exploit the vulnerability and clean up all data, they are automatically logged on as a user with administrative rights.
In most cases, resetting the database is not a problem since most hosts are backed up, meaning that this is not really useful for a hacker, but if there is an "admin" user, the attacker can take over taking care of the entire site by redefining your settings for any account other than yours.
Therefore, it is expected that these hackers are acting to hijack the sites and charge a ransom for them. This has already happened with my website. Luckily it was not a malicious hacker, he was just at the time alerting the vulnerability of sites with WordPress that do not use the capcha to login. I installed one of the plug-ins and it restored my access.
But it seems that now none of the affected sites are doing so. Or they have their sites deleted or hijacked.
The ThemeGrill Demo Importer used to automatically import other plugins available from the web development company https://themegrill/. WordPress statistics initially said that the importing plugin received 200,000 installations. More recently, the number was revised and dropped to around 100,000, probably because many sites have chosen to remove the plug-in.
According to WebARX, the vulnerability has been active for about three years and resides in versions 1.3.4 to 1.6.1. The fix is ??available in version 1.6.2, although a newer version (known as 1.6.3) has been available in the past 12 hours.
The bug stems from a failure to authenticate users before allowing them to execute privileged administrative commands. Hackers can abuse this flaw by sending web requests that contain specially crafted text strings.
Researchers at WebARX discovered the vulnerability and reported it to ThemeGrill developers on February 2. The plugin developer did not issue a correction until last Sunday.
Sites that use ThemeGrill should look for other solutions and no longer use the vulnerable plug-in.