A simple plug-in to wipe the entire site!
ThemeGrill is one of the fairly popular theme makers for WordPress sites. Its themes come with several plugins as a package that can be used by website owners for several purposes. But, a plugin named ThemeGrill Demo Installer is contained with a critical security bug that can let unauthorized persons gain website internal access and perform admin actions. From reports, it’s said to be installed in over 200,000 sites as of today! The Demo Installer is for importing the Demo content within ThemeGrill to let publishers have an idea of building things in the site. And as WebARX reported, hackers can craft specific payloads and send to the site, where it triggers an internal function that is vulnerable. This can let them wipe the entire site’s content to nil and further make them an admin of the site if it’s listed in site’s database. WordPress, being the biggest CMS and appealing platform for users, it’s an often target for adversaries. Previously, bugs in plug-ins like InfiniteWP, InfinityEdge, Elementor and even Jetpack led millions of sites exposed for attacks. Here, the old version Demo Installer plug-in from ThemeGrill are affected with bugs. As WebARX reported, 1.3.4 to 1.6.1 are vulnerable. The maker has already released an updated version that could patch the current flaw. Update here: ThemeGrill Demo Installer Version 1.6.3