WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

ThemeGrill Demo Importer < 1.6.3 - Auth Bypass & Database Wipe

Description

There is a vulnerability that allows any unauthenticated user to wipe the entire database to its default state after which they are automatically logged in as an administrator.

Edit (WPScanTeam):
v1.6.2 was released with an insufficient fix, allowing attackers to still exploit the issue using a CSRF attack.
v1.6.3 released with nonce fix.

Proof of Concept

By sending a call to /wp-admin/admin-ajax.php?action=anything&do_reset_wordpress=1, the database will be wiped and we will be logged in as "admin" if the "admin" user exists in the users table. Authentication is not required.

Affects Plugins

themegrill-demo-importer
Fixed in version 1.6.3

References

URL
https://www.webarxsecurity.com/critical-issue-in-themegrill-demo-importer/
URL
https://www.openwall.com/lists/oss-security/2020/02/19/1

Classification

Type

AUTHBYPASS

OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-287

Miscellaneous

Original Researcher

Dave

Submitter

WebARX

Submitter website
https://www.webarxsecurity.com
Submitter twitter
webarx_security
Verified

No

WPVDB ID
02674da6-9bcb-4f51-b912-0b54dee594d2

Timeline

Publicly Published

2020-02-16 (about 2 years ago)

Added

2020-02-16 (about 2 years ago)

Last Updated

2020-02-20 (about 2 years ago)

Our Other Services

WPScan WordPress Security Plugin