An extremely critical software vulnerability, in a popular WordPress theme plugin that has over 200,000 active installations, has left a large number of websites and blogs prone to attacks. ‘ThemeGrill Demo Importer’ sold by ThemeGrill, a software development company that has free, and premium themes. The ThemeGrill Demo Importer plugin allows the WordPress site admins to perform tasks like import widgets, demo content, and settings from ThemeGrill, thus being able to easily customize the theme.
It is stated that WebARX security company, first mentioned that when ThemeGrill theme is installed, the plugin in question executes certain functions with administrative privileges and this done without checking whether its admin and if the code is authenticated.
This is a major flaw that would allow unauthenticated remote attackers access to the entire database and wipe it to its default state. Thus the attacker can become an administrator and take complete control over the sites.
According to the WebARX researchers, this affects ThemeGrill Demo Importer plugin V 1.3.4 up to 1.6.1, which has been released in the last 3 years. They feel this vulnerability can cause some serious damage. No firewall can be expected to block this by default and hence there needs to be a specific rule to block this vulnerability. WebARX provides virtual patching software and vulnerability detection in order to protect sites from third-party vulnerabilities.
WebARX, which provides vulnerability detection and virtual patching software, helps sites to be protected from third-party component vulnerabilities. They reported this ThemeGrill vulnerability around two weeks ago to developers of ThemeGrill, who released on February 16, a patched version 1.6.2. Usually, the WordPress Dashboard notifies admins automatically when a plugin has to be updated. You can, however, choose plugin updates to be automatically installed instead of manual action.
