Update This WordPress Plugin To Prevent A Site-Hijacking Attack

Update This WordPress Plugin To Prevent A Site-Hijacking Attack
Screenshot: <a href="https://wordpress.org/plugins/themegrill-demo-importer/">ThemeGrill Demo Importer</a>

I use WordPress to power my mighty little corner on the internet, and I confess, I’ve been lazy about keeping my various plugins and themes updated. My site is pretty basic, so the thought never came to mind. However, I urge you to visit your WordPress site right now and update everything that needs it, especially if you’re using a particular plugin from ThemeGrill, which is susceptible to a big vulnerability if left unpatched.

According to a recent report from WebARX, the ThemeGrill Demo Importer plugin for WordPress—with more than 200,000 installations as of when they published their piece, but a figure that’s quickly dropping—has a vulnerability in any version between 1.3.4 and 1.6.1. If a WordPress user installs and activates a ThemeGrill theme for their blog, and has a default “admin” user account present in their WordPress installation, an attacker could take advantage of the vulnerability to “wipe the entire database to its default state after which they are automatically logged in as an administrator.”

As WebARX writes:

“This is a serious vulnerability and can cause a significant amount of damage. Since it requires no suspicious-looking payload just like our previous finding in InfiniteWP, it is not expected for any firewall to block this by default and a special rule needs to be created to block this vulnerability.”

You’re going to want to update your ThemeGrill Demo Importer plugin ASAP to version 1.6.2 at minimum, which should be easy enough to do from your WordPress installation’s “plugin” page. It’s impossible to miss that you have updates pending, because your site’s backend will look like this:

Screenshot: David Murphy

It’s time to start using an auto-updater

If you’re like me, and you’ve been surprised by the number of updates you have pending—or you really want to make sure that you’re grabbing any and all updates to your plugins as soon as they pop up, which is a great security practice—I recommend grabbing a secondary plugin to manage your plugins’ updates. Slap a plugin like Companion Auto-Update into your WordPress installation, and it’ll automatically make sure everything about your WordPress (even its core files) is always running its most recent version.

By default, Companion Auto-Update will automatically update your plugins, themes, translation files, and minor updates to WordPress; you can also have it install major updates as well, if you don’t have any compatibility issues to fear. To double-check that this plugin is doing its job, you can even have it shoot you an email whenever it updates something on your site.

Screenshot: David Murphy

While odds are low that you’re running the aforementioned ThemeGrill Demo Importer on your own site, I think this vulnerability is a great excuse to take a few minutes and make sure you’ve set up your site for automatic updates. That way, should a vulnerability ever get discovered in a plugin you actually use, you’ll get whatever patches you need as soon as they appear.

And while you’re at it, stop using a default “admin” account in WordPress, too.

Log in to comment on this story!