Critical Issue In ThemeGrill Demo Importer Leads to Database Wipe and Auth Bypass

Critical Issue In ThemeGrill Demo Importer Leads to Database Wipe and Auth Bypass (Feb 17, 2020)

ThemeGrill Demo Importer, a WordPress plugin used to automatically import other plugins with over 200,000 active installations, has a critical vulnerability. The vulnerability allows unauthenticated users to wipe the entire site that has a ThemeGrill theme installed on. Once the plugin detects a ThemeGrill theme, a script is run that requires no authentication to be automatically logged in as an admin. As firewalls won’t protect against this type of vulnerability, a lot of damage can be done.

Recommendation: A patch has been released by WordPress that should be applied immediately for ThemeGrill Demo users. Additionally, your company should have policies in place to review and apply security updates for software in use to protect against known vulnerabilities that threat actors may exploit.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.