February 16

Critical Issue Inside ThemeGrill Demo Importer RESULTS IN Database Clean and Auth Bypass

WordPress Security

0  comments

This post was originally published on this site

themegrill demo importer

The ThemeGrill Demo Importer plugin has 200.000+ energetic installations and can be utilized to import ThemeGrill official themes demo articles, widgets and theme configurations with just one single click.

In versions 1.3.4 and above and variations 1.6.1 and below, there exists a vulnerability which allows any unauthenticated consumer to wipe the complete data source to its default condition after which they’re automatically logged in being an administrator.

themegrill demo importer

The prerequisite is that there should be a style installed and activated that has been published by ThemeGrill. To become automatically logged in being an administrator, there has to be a consumer known as “admin” in the database. Irrespective of this problem, the database it’s still wiped to its default condition.

Based upon the SVN commit background, this matter has existed within the program code for roughly three years, since edition 1.3.4.

Technical Details

As soon as the plugin detects a ThemeGrill theme is installed and activated, it loads the document /includes/class-demo-importer.php which hooks reset_wizard_activities into admin_init on range 44.

The admin_init hook runs not merely in the admin environment but additionally on calls to /wp-admin/admin-ajax.php which will not need a user to end up being authenticated.

The function reset_wizard_actions looks a little just like the following (irrelevant code removed):

	public function reset_wizard_actions() 
		global $wpdb, $current_consumer;

		if ( ! empty( $_Obtain['do_reset_wordpress'] ) ) 
	

Here we note that there is absolutely no authentication examine and just the perform_reset_wordpress parameter must be within the URL upon any “admin” based web page of WordPress, which includes /wp-admin/admin-ajax.php.

If we have been currently not logged in, it’ll retrieve the “admin” user item from WordPress and fall all WordPress tables that focus on the defined WordPress data source prefix.

Once all tables have already been dropped, it’ll populate the data source with the default configurations and data and it will established the password of the “admin” consumer to its earlier known password.

However, this will not matter since we have been automatically logged in since “admin” close to the end of the event. If the “admin” user will not can be found in the database then your users’ desk will remain empty and you may not be immediately logged in as any consumer.

The Patch

The patch are available here which ultimately shows they added a present_user_may( ‘manage_choices’ ) verify to the reset_wizard_actions method.

This is really a serious vulnerability and will cause a significant quantity of damage. Since it demands no suspicious-looking payload exactly like our previous finding in InfiniteWP, it isn’t expected for just about any firewall to block this automagically and a particular rule must be intended to block this vulnerability.

Timeline

06-02-2020 – Discovery of the problem and launched a patch to all or any WebARX customers.
06-02-2020 – Reported the problem to the programmer of the plugin.
11-02-2020 – Second try to get in touch with the developer.
14-02-2020 – Received e-mail from programmer, resent the issue in their mind.
16-02-2020 – Programmer published a new edition which fixes the problem.

Protect Sites Against Plugin Vulnerabilities


Start for totally free

We are closely supervising the ThemeGrill Demo Importer vulnerability and can update this article over-time with possible IOC and essential threat details.

If you intend to stay updated concerning the vulnerabilities via social media marketing, consider joining our Facebook community and follow all of us on Twitter.

The post Critical Issue In ThemeGrill Demo Importer RESULTS IN Database Wipe and Auth Bypass appeared first on WebARX.

About the author 

WP Maintain Support Protect

You may also like

Who Attacked SolarWinds and just why WordPress Users Have to know

Who Attacked SolarWinds and just why WordPress Users Have to know

SolarWinds and offer Chain Attacks: Could this happen to WordPress?

SolarWinds and offer Chain Attacks: Could this happen to WordPress?

WordPress Hardening: 18 Methods to Harden Security of one’s Website

WordPress Hardening: 18 Methods to Harden Security of one’s Website
{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Subscribe to our newsletter now!