A bug in a WordPress plugin has opened the door for malicious actors to wipe the contents of an entire website or blog.
The bug resides in a plugin called ThemeGrill Demo Importer, which allows web developers and site builders to import pre-produced “demo” content compatible with WordPress themes distributed by ThemeGrill. Once installed and imported, the theme is filled with dummy content that allows users to figure out the functions of different features and design WordPress-based websites by modifying said content.
Older versions of the plugin are said to be installed and active on around 200,000 WordPress sites — and that’s a problem because a newly-discovered exploit allows unauthorized remote users to wipe a website clean with just a few clicks.
The attack works by allowing a remote users to access a WordPress website’s database — essentially, the engine of the entire operation. Once the user has access to the database, they’re able to restore it to its default setting — wiping the entire WordPress-based website clean.
The glitch also allows a remote attacker the ability to log in as an administrator of the website if there’s a user called “admin.” By default, WordPress installations create an “admin” user.
WebARX, a security firm that focuses on WordPress and other online exploits, said the glitch had existed for at least three years since version 1.3.4 of the plugin. An updated version of the plugin rolled out over the weekend fixes the issue, but there are already reports of websites being reset.
“This is a serious vulnerability and can cause a significant amount of damage,” WebARX said.
Affected users have a few options available: If their WordPress website hasn’t been impacted by the glitch, it’s a good idea to do a full backup right now — because anything can happen. The free plugin “All-in-One WP Migration” allows users to back up their entire WordPress website, database and all, and then reinstall it at a later point using the same plugin. Depending on the size of the database and files, the backup can be quite big, but All-in-One WP Migration offers backing up to an offsite cloud storage service like Google Drive or Dropbox to help alleviate this problem.
Other users who have already found their websites compromised should contact their web host’s customer support. Many web hosts automatically back up files and databases, some as often as twice per day.