Hackers are actively exploiting a critical WordPress plugin vulnerability that allows them to completely wipe all website databases and, in some cases, seize complete control of affected sites.

The flaw is in the ThemeGrill Demo Importer installed on some 100,000 sites, and it was disclosed over the weekend by Website security company WebARX. By Tuesday, WebArx reported that the flaw was under active exploit with almost 17,000 attacks blocked so far. Hanno Böck, a journalist who works for Golem.de, also spotted active attacks and reported them on Twitter.

If you use this plugin and your webpage hasn't been deleted yet consider yourself lucky. And remove the plugin. (Yes, remove it, don't just update.) — hanno (@hanno) February 18, 2020

"There's currently a severe vuln in a wordpress plugin called "themegrill demo importer" that resets the whole database," Böck wrote. "https://webarxsecurity.com/critical-issue-in-themegrill-demo-importer/ It seems attacks are starting: Some of the affected webpages show a wordpress 'hello world'-post. /cc If you use this plugin and your webpage hasn't been deleted yet consider yourself lucky. And remove the plugin. (Yes, remove it, don't just update.)"

Hello, cruel world

The "Hello World" message is the default placeholder displayed on WordPress sites when the open source content-management system is first installed or when it's wiped clean. Böck told me that attackers appear to be exploiting the ThemeGrill vulnerability in hopes of gaining administrative control over affected websites. Website takeovers only occur when a vulnerable site has an account with the name "admin." In those cases, after hackers exploit the vulnerability and wipe clean all data, they are automatically logged in as a user that has administrative rights.

"The thing is, in most cases you get 'only' a database reset, i.e. that's not really useful for an attacker, but if a user 'admin' exists, the attacker can take that over," he said in a direct message. "But you don't know that in advance. Therefore I assume attackers will just try and leave a lot of devastated WordPress installations behind while hijacking the few where this attack works."

The ThemeGrill Demo Importer is used to automatically import other plugins available from Web development company https://themegrill.com/. Statistics from WordPress initially said the importer plugin received 200,000 installations. More recently, the number has been revised down to 100,000, most likely because many websites have opted to uninstall it.

According to WebARX, the vulnerability has been active for about three years and resides in versions from 1.3.4 through 1.6.1. The fix is available in version 1.6.2, although a newer version (known as 1.6.3) became available in the past 12 hours.

Failure to authenticate

The bug stems from a failure to authenticate users before allowing them to carry out privileged administrative commands. Hackers can abuse this failure by sending Web requests that contain specially crafted text strings.

"This is a serious vulnerability and can cause a significant amount of damage," WebARX researchers wrote in this weekend's disclosure. "Since it requires no suspicious-looking payload just like our previous finding in InfiniteWP, it is not expected for any firewall to block this by default, and a special rule needs to be created to block this vulnerability."

Specifically, the vulnerability allows attackers to delete all tables and populate the database with default settings and data. Accounts named "admin," assuming any exist, are set to their previously known password. In the event accounts named admin exist, the attacker will find themselves logged in with administrative rights.

WebARX researchers discovered the vulnerability and reported it to ThemeGrill developers on February 2. The plugin developer didn't issue a fix until Sunday. Websites that use ThemeGrill should update immediately. Better yet, as Böck recommended, they should uninstall the plugin altogether. The vulnerability is distinct from another bug reported over the weekend in the WordPress plugin wpCentral. That flaw allows untrusted users to escalate privileges.