Security researchers recently discovered a flaw in a WordPress plugin, which puts 200,000 websites in danger of being wiped out or hijacked by hackers.
WordPress plugins can be very helpful for running a website unless they turn out to have a vulnerability that can not only allow hackers to hijack a website but also wipe it out completely. The situation is significantly worsened if it is a popular plugin used by thousands of sites.
This is what security researchers from WebARX reported recently, warning WordPress site owners who use a plugin called ThemeGrill Demo Importer, provided by ThemeGrill. Fortunately, ThemeGrill already created a patch that can fix the issue, and everyone who uses this plugin is advised to update it as soon as possible. According to the plugin’s statistics, it is currently being used by 200,000 websites, whose owners added the plugin for its rich themes during their websites’ creation. All such websites were discovered to be in danger of remote attacks which could allow access to unauthenticated individuals.Bug in WordPress plugin can let hackers wipe up to 200,000 sites https://t.co/zPCacuUT6H
— ZDNet (@ZDNet) February 18, 2020
Details about the WordPress Flaw
According to researchers, all that remote hackers need to do is create and send a special payload that would trigger a function within the plugin. The function would then reset the websites’ content to zero. In other words, a single payload can wipe out all of the site’s content if the ThemeGrill theme is active. Also, as mentioned earlier, it is possible for hackers to be granted access to the site if its database contains a user named ‘admin,’ which is why website owners should change their usernames as well, just to be safe. It should be noted that not all versions of the plugin are in danger of the hack. The flawed versions are those between v1.3.4 and 1.6.1. After being warned about the flaw, ThemeGrill’s developers created v1.6.2, which overwrites the previous patch and fixes the vulnerability. Unfortunately, this is not the first, and likely not the last, WordPress plugin that has this flaw. Previously, a similar issue was found in a plugin called WP Database Reset, which was present on 80,000 websites.Disclaimer
In adherence to the Trust Project guidelines, BeInCrypto is committed to unbiased, transparent reporting. This news article aims to provide accurate, timely information. However, readers are advised to verify facts independently and consult with a professional before making any decisions based on this content. Please note that our Terms and Conditions, Privacy Policy, and Disclaimers have been updated.
Sponsored
Sponsored