---
licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0)
licence_link: https://creativecommons.org/licenses/by/4.0/
licence_restrictions: https://cert.europa.eu/legal-notice
licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies
title: 'Critical Vulnerability in ThemeGrill Demo Importer Wordpress Plugin'
version: '1.0'
number: '2020-009'
date: 'February 19, 2020'
---

_History:_

* _19/02/2020 --- v1.0 -- Initial publication_

# Summary

A critical vulnerability affecting the ThemeGrill Demo Importer plugin has been identified [1, 2]. Theme Grill Demo Importer is a plugin that can be used to import ThemeGrill official themes demo content, widgets and theme settings [2]. The plugin is affected by a vulnerability that allows any unauthenticated user to _wipe the entire database_ to its default state after which they are automatically logged in as an _administrator_. According to [2], there are more than 100K active installations of the plugin.  

# Technical Details

**Prerequisites:**

In order for the vulnerability to be exploitable, there must be a theme installed and activated by ThemeGrill. In order to be automatically logged in as an _administrator_, there must be a user called `admin` in the database. If the `admin` user does not exist in the database, then the users table will remain empty and there will be no automatic login.

**Details:**

Once the plugin detects that a ThemeGrill theme is installed and activated, it loads the file `/includes/class-demo-importer.php` which hooks `reset_wizard_actions` into `admin_init`. The `admin_init` hook runs not only in the admin environment, but also on calls to `/wp-admin/admin-ajax.php` which does not require a user to be authenticated [1].

The bug is present in the `reset_wizard_actions` function where there is no authentication check [1]. If the user is not logged in, the `admin` user object will be retrieved from WordPress and then all WordPress tables that start with the defined WordPress database prefix will be dropped.

Once all tables have been dropped, it will populate the database with the default settings and data after which it will set the password of the `admin` user to its previously known password.

# Products Affected

List of affected products:

WordPress ThemeGrill Importer plugin versions between (and including) 1.3.4 and 1.6.1

# Recommendations

It is highly recommended to update the plugin to the latest version as soon as possible. This vulnerability has been fixed in versions 1.6.2 and above.

# References

[1] <https://www.webarxsecurity.com/critical-issue-in-themegrill-demo-importer/>

[2] <https://wordpress.org/plugins/themegrill-demo-importer/>