WordPress site themes provided by ThemeGrill have one of the plugins have a critical bug that can let attackers wipe their sites.
Those WordPress site owners who use the commercial themes provided by ThemeGrill are advised to update the plugins to patch the bug.
ThemeGrill is a web development company that sells commercial WordPress themes and the vulnerability is found in the plugin named ThemeGrill Demo Importer.
The plugin is installed on more than 200,000 sites and it lets the site owners to import demo content inside their ThemeGrill themes so they will have examples and a starting point on which they can build their own sites.
It was reported by the WordPress security firm WebARX, that older versions of the ThemeGrill Demo Importer are vulnerable to remote attacks from unauthenticated attackers.
Remote hackers can send a specially crafted payload to vulnerable sites and trigger a function inside the plugin. The vulnerable function resets the site’s content to zero, wiping the content of all WordPress sites that uses a ThemeGrill theme and the vulnerable plugin is installed.
Also, if the site’s database contains a user named “admin,” then the attacker can access that user with full administrator rights over the site.
According to WebARX the vulnerability affects all versions of the ThemeGrill Demo Importer plugin between version 1.3.4 and 1.6.1.
ThemeGrill has fixed the bug and released the latest version 1.6.2
This is the second bug to be disclosed this year in a WordPress plugin that can let hackers to wipe site databases.