ThemeGrill Demo Importer < 1.6.3 - Auth Bypass & Database Wipe



Description
There is a vulnerability that allows any unauthenticated user to wipe the entire database to its default state after which they are automatically logged in as an administrator.

Edit (WPScanTeam):
v1.6.2 was released with an insufficient fix, allowing attackers to still exploit the issue using a CSRF attack.
v1.6.3 released with nonce fix.
Proof of Concept
By sending a call to /wp-admin/admin-ajax.php?action=anything&do_reset_wordpress=1, the database will be wiped and we will be logged in as "admin" if the "admin" user exists in the users table. Authentication is not required.

Affects Plugin

fixed in version 1.6.3

References

URL https://www.webarxsecurity.com/critical-issue-in-themegrill-demo-importer/
URL https://www.openwall.com/lists/oss-security/2020/02/19/1

Classification

Type AUTHBYPASS
OWASP Top 10 A2: Broken Authentication and Session Management
CWE CWE-287

Miscellaneous

Original Researcher Dave
Submitter WebARX
Submitter Website https://www.webarxsecurity.com
Submitter Twitter webarx_security
Views 6659
Verified No
WPVDB ID 10071

Timeline

Publicly Published 2020-02-16 (5 months ago)
Added 2020-02-16 (5 months ago)
Last Updated 2020-02-20 (5 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin