Updated, 2/21/20, 11:30am PT:
ThemeGrill responded to our request for comment with the following statement:
"The best approach to tackle this issue is: please contact your hosting service provider and ask them to restore to last working backup they have. These days most hosting service provider do have this backup service. Once you do this, please delete/deactivate the ThemeGrill Demo Importer plugin if you are not using it, if you need to use it, please make sure you are using the latest version 1.6.3
"We would like to apologize for this issue. We are also working with wordpress(dot)org plugin review team to make this update as an automatic update. We as developers are working continuously to better handle this."
ThemeGrill Demo Importer's popularity appears to have resurged after WebARX's reporting. The WordPress Plugin Repository said on February 18 that the extension had more than 100,000 users; today it said the extension had more than 200,000 users. Those additional sites shouldn't be vulnerable to these attacks, however, because the latest version of ThemeGrill Demo Importer resolves the previously exploited security flaw.
Original article, 2/18/20, 9:01am PT:
WordPress users might want to double-check their extensions. WebARX reported yesterday that a flaw in ThemeGrill Demo Importer, an extension that helps users install premium themes made by ThemeGrill, put sites at risk of being taken over.
WebARX said yesterday that more than 200,000 websites had the extension installed. That number has quickly fallen since that report, though, with the WordPress Plugin Repository currently saying it's used on more than 100,000 sites.
Attackers who exploited a vulnerability in the ThemePress Demo Importer were reportedly able to "wipe the entire database to its default state," WebARX said, "after which they are automatically logged in as an administrator" to the target website.
Unfortunately the flaw can't be detected by firewalls, according to WebARX, because it "requires no suspicious-looking payload." The easiest way for WordPress users to defend themselves is to update ThemeGrill Demo Importer or remove it entirely.
ThemeGrill doesn't appear to have acknowledged WebARX's report on its website, blog or social media accounts. We've reached out to the company for more information about the vulnerability and will update this post if we get a response.
Despite the lack of public comment, WebARX said that ThemeGrill did release an update to the extension that resolves this vulnerability on February 16. That's good news, especially since the security flaw is now being actively exploited, per WebARX.
There's no denying that putting 200,000 websites at risk is a serious problem, but the vast majority of WordPress users don't have to worry about this vulnerability. The platform's said to power 35% of the web; 200,000 sites is next to nothing.
