Hackers exploit critical vulnerability found in ~100,000 WordPress sites

The defect is in the ThemeGrill Demonstration Importer set up on some 100,000 sites, and it was divulged over the weekend by Website security business WebARX. By Tuesday, WebArx reported that the defect was under active exploit with nearly 17,000 attacks obstructed up until now. Hanno Böck, a reporter who works for Golem.de, had actually identified active attacks a number of hours prior to and reported them on Twitter.

“There’s currently a severe vuln in a wordpress plugin called ” theme grill demo importer” that resets the whole database,” Böck composed. “https://webarxsecurity.com/critical-issue-in-themegrill-demo-importer/ It seems attacks are starting: Some of the affected webpages show a wordpress ‘hello world’-post. /cc If you use this plugin and your webpage hasn’t been deleted yet consider yourself lucky. And remove the plugin. (Yes, remove it, don’t just update.)”

Hi, terrible world

The “Hello World” message is the default placeholder shown on WordPress sites when the open source content management system is first set up or when it’s wiped tidy. Böck informed me that aggressors seem to make use of the ThemeGrill vulnerability in hopes of getting administrative control over impacted sites. Website takeovers just happen when a susceptible website has an account with the name “admin.” In those cases, after hackers exploit the vulnerability and wipe tidy all information, they are immediately logged in as a user that has administrative rights.

“The thing is, in most cases you get ‘only’ a database reset, i.e. that’s not really useful for an attacker, but if a user ‘admin’ exists, the attacker can take that over,” he stated in a direct message. “But you don’t know that in advance. Therefore I assume attackers will just try and leave a lot of devastated WordPress installations behind while hijacking the few where this attack works.”

The ThemeGrill Demonstration Importer is utilized to immediately import other plugins offered from Web advancement business https://themegrill.com/. Stats from WordPress at first stated the importer plugin got 200,000 setups. More just recently, the number has actually been modified down to 100,000, more than likely since lots of sites have actually chosen to uninstall it.

According to WebARX, the vulnerability has actually been active for about 3 years and lives in variations from 1.3.4 through 1.6.1. The repair is offered in version 1.6.2, although a more recent version (called 1.6.3) appeared in the past 12 hours.

Failure to validate

The bug originates from a failure to validate users prior to enabling them to perform fortunate administrative commands. Hackers can abuse this failure by sending out Web demands which contain specifically crafted text strings.

“This is a serious vulnerability and can cause a significant amount of damage,” WebARX scientists composed in this weekend’s disclosure. “Since it requires no suspicious-looking payload just like our previous finding in InfiniteWP, it is not expected for any firewall to block this by default, and a special rule needs to be created to block this vulnerability.”

Particularly, the vulnerability enables aggressors to erase all tables and occupy the database with default settings and information. Accounts called “admin,” presuming any exist, are set to their formerly understood password. In the event accounts called admin exist, the enemy will discover themselves logged in with administrative rights.

WebARX scientists found the vulnerability and reported it to ThemeGrill designers on February 2. The plugin designer didn’t provide a repair up until Sunday. Sites that utilize ThemeGrill need to upgrade right away. Even better, as Böck advised, they must uninstall the plugin completely. The vulnerability stands out from another bug reported over the weekend in the WordPress plugin wpCentral. That defect enables untrusted users to intensify advantages.