ThemeGrill Demo Importer < 1.6.3 – Auth Bypass & Database Wipe | Plugin Vulnerabilities

Description

There is a vulnerability that allows any unauthenticated user to wipe the entire database to its default state after which they are automatically logged in as an administrator.

Edit (WPScanTeam):
v1.6.2 was released with an insufficient fix, allowing attackers to still exploit the issue using a CSRF attack.
v1.6.3 released with nonce fix.

Proof of Concept

By sending a call to /wp-admin/admin-ajax.php?action=anything&do_reset_wordpress=1, the database will be wiped and we will be logged in as "admin" if the "admin" user exists in the users table. Authentication is not required.

Affects Plugins

themegrill-demo-importer

Fixed in 1.6.3

References

URL

https://www.webarxsecurity.com/critical-issue-in-themegrill-demo-importer/

URL

https://www.openwall.com/lists/oss-security/2020/02/19/1

Classification

Type

AUTHBYPASS

OWASP top 10

A2: Broken Authentication and Session Management

CWE

Miscellaneous

Original Researcher

Dave

Submitter

WebARX

Submitter website

https://www.webarxsecurity.com

Submitter twitter

webarx_security

Verified

No

WPVDB ID

02674da6-9bcb-4f51-b912-0b54dee594d2

Timeline

Publicly Published

2020-02-16 (about 6 years ago)

Added

2020-02-16 (about 6 years ago)

Last Updated

2020-02-20 (about 6 years ago)

Other

Published

Title

Published

2020-03-26

Title

IMPress for IDX Broker < 2.6.2 - Authenticated Post Creation, Modification, and Deletion

Published

2014-11-24

Title

Download Manager <= 2.7.2 - Privilege Escalation

Published

2023-11-29

Title

BestWebSoft's Like & Share < 2.74 - Unauthenticated Password Protected Post Read

Published

2024-03-22

Title

Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder < 1.15.23 - Sensitive Information Exposure

Published

2025-12-09

Title

Elated Membership < 1.3 - Authentication Bypass via Social Login