Who is to administer a website WordPress and makes use of the commercial templates made available by ThemeGrill should update as soon as possible one of the plugins that installs with these themes, in order to solve a dangerous bug that could allow an attacker to compromise the site by deleting its contents.
The vulnerability lies in the plugin ThemeGrill Demo Importer, which delivers the themes sold by ThemeGrill, a web development company that sells commercial WordPress themes. The plugin is installed on over 200,000 websites, and allows the site manager to import demonstration content into the ThemeGrill templates, so that he can view examples and have a starting point from which to start building his own websites.
The WebARX company, which specifically deals with security for WordPress, has published a report in which it reports that the old versions of ThemeGrill Demo Importer are vulnerable to remote attacks by unauthenticated attackers. Hackers can remotely send a properly assembled payload to vulnerable sites to trigger a function within the plugin. This function resets the site database, completely eliminating the contents for everyone: therefore WordPress sites are at risk where there is an active ThemeGrill template, and with the vulnerable plugin installed. Also, if the site database contains a user named Admin, the attacker can gain access to that user with administrator privileges for the whole site.
The vulnerability affects versions of ThemeGrill Demo Importer from 1.3.4 through 1.6.1. Theme Grill solved the problem and released an updated version of the plugin, 1.6.2, over the weekend.
This is the second WordPress bug discovered this year and which can allow the attacker to delete the site's databases. Last month Wordfence discovered a similar problem in the WP Database Reset plugin, installed on over 80 thousand websites. You can deepen the topic at the news Serious flaws for three WordPress plugins: 400 thousand sites at risk.
