A WordPress Plugin Called 'ThemeGrill Demo Importer' Exposed 200,000 Websites to Hackers
Content Management Systems (CMS) like WordPress have completely transformed the process of creating and maintaining a website. Right now, building a website can be as easy as setting up a WordPress installation and adding some content. The people who once wrote entire sites from scratch now create CMS themes and plugins that help you tweak and customize your very own website with no more than a few clicks of the mouse. It's much more convenient and, more importantly, quite a bit cheaper than it used to be. There is a trade-off, though.
The people who write themes and plugins for platforms like WordPress do make mistakes every now and again, and when they do, the errors don't affect just one website. A single bug can cause issues for thousands of websites, and if the problem is security-related, the consequences can be pretty devastating. A recently discovered vulnerability in the ThemeGrill Demo Importer plugin for WordPress showed us just how bad things could be.
ThemeGrill left a bug that could have allowed hackers to wipe entire websites
ThemeGrill develops premium themes for WordPress, and it also offers a plugin called ThemeGrill Demo Importer, which lets administrators easily import themes and settings directly to their websites. If you have a WordPress-based website and if you use ThemeGrill Demo Importer, you must make sure that the plugin is updated to its latest version. Researchers from WebARX discovered that all incarnations of the plugin between ThemeGrill Demo Importer 1.3.4 and ThemeGrill Demo Importer 1.6.1 are affected by a critical security vulnerability that can let hackers wreak complete havoc.
The problem lies with a function called reset_wizard_actions, which is loaded when the plugin detects an active ThemeGrill theme. The function hooks up to admin_init which normally runs only in an admin environment. It can also make calls to /wp-admin/admin-ajax.php, though, and the researchers discovered that when interacting with this file, reset_wizard_actions doesn't check whether a user is authenticated.
Using carefully crafted payloads, hackers can either wipe out all of the content on a vulnerable website, or they can assume administrative rights and do more or less whatever they want with it.
ThemeGrill patched the plugin
WebARX report shows that disclosing the problem and helping with the fix wasn't the smoothest experience, but we should point out that we've seen far worse. The researchers sent their first report on February 6. After receiving no replies for five days, they tried to get in touch with ThemeGrill again. On February 14, the developer finally replied, and within two days, a new version that addresses the issue was released.
The fact that the vulnerability is patched is good news, but it's only half the story. ThemeGrill Demo Importer 1.3.4, the version that introduced the bug, was released a whopping three years ago, and every single website that used the plugin between then and Sunday when the patch was released has been exposed. Although there's no evidence of in-the-wild exploitation, many of the 200 thousand websites that have ThemeGrill Demo Importer installed on them still use vulnerable versions of the plugin, which means that we could see victims of the vulnerability very soon.
This is where the big problem lies. According to W3Techs, WordPress powers more than 35% of all websites around the world. There is a whole ecosystem supporting the CMS, and millions of people use it because maintaining a website with it is about as easy as it gets. Sadly, experience has taught us that security updates and patches aren't very high on many of these people's priority lists. If the internet is to become a safer place, this must change.