Bug In WordPress Plugin Can Let Hackers Wipe Up To 200,000 Sites (zdnet.com) 6
An anonymous reader quotes a report from ZDNet: WordPress site owners who use commercial themes provided by ThemeGrill are advised to update one of the plugins that come installed with these themes in order to patch a critical bug that can let attackers wipe their sites. The vulnerability resides in ThemeGrill Demo Importer, a plugin that ships with themes sold by ThemeGrill, a web development company that sells commercial WordPress themes. The plugin, which is installed on more than 200,000 sites, allows site owners to import demo content inside their ThemeGrill themes so they'll have examples and a starting point on which they can build their own sites.
However, in a report published yesterday, WordPress security firm WebARX says that older versions of the ThemeGrill Demo Importer are vulnerable to remote attacks from unauthenticated attackers. Remote hackers can send a specially crafted payload to vulnerable sites and trigger a function inside the plugin. The vulnerable function resets the site's content to zero, effectively wiping the content of all WordPress sites where a ThemeGrill theme is active, and the vulnerable plugin is installed. Furthermore, if the site's database contains a user named "admin," then the attacker is granted access to that user with full administrator rights over the site.
However, in a report published yesterday, WordPress security firm WebARX says that older versions of the ThemeGrill Demo Importer are vulnerable to remote attacks from unauthenticated attackers. Remote hackers can send a specially crafted payload to vulnerable sites and trigger a function inside the plugin. The vulnerable function resets the site's content to zero, effectively wiping the content of all WordPress sites where a ThemeGrill theme is active, and the vulnerable plugin is installed. Furthermore, if the site's database contains a user named "admin," then the attacker is granted access to that user with full administrator rights over the site.
Hurray for Static Sites. (Score:3)
I can serve it from a Pi. An Arduino. Send it to Amazon, Google or Microsoft and unzip in a served folder.
Data flows in one direction. There isn't a database to hit to render a page that isn't ever going to change.
Oblig. (Score:2)
...and nothing of value was lost.
Is that really a bug though? (Score:2)
A Wordpress Critical Security Bug is News? (Score:2)
If so, I expect to see at least one such article a day on here. I hope not.
I'm about to leave WordPress. Sort of. (Score:2)
WordPress makes me a good living. The system is a mess and shoddy plugins like this one don't make it better. The upside is, there is always work to do. A mission critical WordPress site is pure job security.
However, the dimtwit quota in the WordPress community can be exausting. Very exausting. It's crushing my spirit. I'm going to up my skillset with technologies that will give the the possibility to put a little distance between me and the pointy haired bosses that dominate the bottom end of the web.