Major Vulnerability: ThemeGrill Demo Importer

Panos

Panos Kesisis · 20th February 2020·Wordpress, Website Security

Major Vulnerability: ThemeGrill Demo Importer

The famous plugin called ThemeGrill Demo Importer with more than 200.000+ active installations seems to have a major security flaw allowing attackers to gain unauthorized access and wipe all the data in your site's database making it look like a default installation. Versions affected are 1.3.4 -> 1.6.2. If you are using this plugin and you haven't updated it recently, we would advise you to update immediately.

Technical Explanation

It looks like this bug in the code existed for quite some time now. Checking back the code commits, version 1.3.4 was released 3 years ago and since then, the bug is there. Luckily this was fixed in the recent update of version 1.6.3. Let's see how the bug looks like in the code:

		global $wpdb, $current_user;

		if ( ! empty( $_GET['do_reset_wordpress'] ) ) {

			///

			if ( 'admin' != $current_user->user_login ) {
				$user = get_user_by( 'login', 'admin' );
			}

			if ( empty( $user->user_level ) || $user->user_level < 10 ) {
				$user = $current_user;
			}

			// Drop tables.
			$drop_tables = $wpdb->get_col( sprintf( "SHOW TABLES LIKE '%s%%'", str_replace( '_', '\_', $wpdb->prefix ) ) );
			foreach ( $drop_tables as $table ) {
				$wpdb->query( "DROP TABLE IF EXISTS $table" );
			}

			// Installs the site.
			$result = wp_install( $blogname, $user->user_login, $user->user_email, $blog_public );

			// Updates the user password with a old one.
			$wpdb->update(
				$wpdb->users,
				array(
					'user_pass'           => $user->user_pass,
					'user_activation_key' => '',
				),
				array( 'ID' => $result['user_id'] )
			);

			// Set up the Password change nag.
			$default_password_nag = get_user_option( 'default_password_nag', $result['user_id'] );
			if ( $default_password_nag ) {
				update_user_option( $result['user_id'], 'default_password_nag', false, true );
			}

			///

			// Update the cookies.
			wp_clear_auth_cookie();
			wp_set_auth_cookie( $result['user_id'] );

			// Redirect to demo importer page to display reset success notice.
			wp_safe_redirect( admin_url( 'themes.php?page=demo-importer&browse=all&reset=true' ) );
			exit();
		}
	}

As you can see, the "do_reset_wordpress" GET variable is being called without really checking if the user is authorized to do this "Reset". All that was needed to fix this is the following piece of code that was added in the lastest update:

if ( ! current_user_can( 'manage_options' ) ) {
 	            wp_die( __( 'Cheating; huh?', 'themegrill-demo-importer' ) );
 	        }

Conclusion

Keeping your site up to date along with all its plugins and themes is extremely crucial. We always advise our clients to do so to prevent issues like this one. If you've been affected by this hack or need ongoing maintenance , support and Wordpress updates, let us know, we can help.