Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 19 Feb 2020 09:03:04 +0100
From: Hanno Böck <>
Subject: Wordpress themegrill-demo-importer: database reset/auth bypass,
 incomplete fix due to CSRF

A severe vulnerability in a wordpress plugin called ThemeGrill Demo
Importer was discovered by the company WebARX:

The vulnerability is as follows:
The plugin adds a hook to wordpress that can be reached with the
ajax-interface (admin-ajax.php) and that has a functionality to reset
the wordpress database which will be triggered if the GET variable
do_reset_wordpress is set.

The problem: This had no authentication whatsoever.

--data 'action=heartbeat' -i

This can obviously delete all existing posts and other data. If there
exists a user called "admin" (i.e. the name of the user is admin, not
just a user with an admin role) then after triggering that function the
attacking user will be logged in as the admin, so in that case he can
use that to e.g. install a plugin and gain code execution. For further
details read the WebARX post.

This is already being actively exploitet, I observed several vulnerable
installations that were empty yesterday (i.e. only showing the standard
"Hello World" post of a new wordpress installation).

Incomplete Fix / CSRF

As a fix for this the developers of the plugin added a check if one is
logged in as a user with sufficient permission in version 1.6.2.
This is not a full fix, because there is no protection from Cross Site
Request Forgery. This means the functionality can no longer be
triggered by an unauthenticated user, but one can lure the admin of an
affected site to a site triggering a POST request executing that

PoC code:
<form id="f1"
method="POST"> <input type=hidden name=action value="heartbeat">

I had reported this to the developers of the plugin on Monday, but
given that this is almost entirely obvious looking at the fix I was
likely not the only one who has noticed. WebARX also told me they
noticed this and had already told Themegrill about it.

There's now an update 1.6.3 that adds a nonce check. I have
not reviewed that change in detail. Patches:

From the functionality this plugin provides I believe it's only useful
during development and testing of themes. Therefore even if the
vulnerability is now hopefully fixed it is probably a good idea to
remove it from production installations when it's no longer needed.

Summary on affected versions:
1.3.4 to 1.6.1: vulnerable to original/severe variant
1.6.2: Insufficient fix, attack with CSRF possible
1.6.3: hopefully fixed

Hanno Böck

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.