A critical bug is found in the popular WordPress theme plugin, ThemeGrill Demo Importer. That gives admin access to hackers.
WebARX security researcher recently found a bug in the popular WordPress theme plugin ThemeGrill Demo Importer. This plugin has free access to those who buy ThemeGrill WordPress theme. It enables admin to import demo widget, content and default setting from ThemeGrill. This ThemeGrill plugin has more than 2000,000 active installations.
According to security researcher WebARX, Once you install ThemeGrill theme and activate it. It allows users to access the entire database, you can edit, update or even can able to delete the whole database whether the user is admin and running code is authenticated. Technically, When Theme Grill Demo Importer plugin found that a ThemeGrill theme is installed & activated, it loads the file from file manager /includes/class-demo-importer.php which attach reset_wizard_actions into admin_init on line 44.
As WebARX report ThemeGrill Demo Importer has serious bug or vulnerability and can cause a major amount of damage.
Even they add that this serious vulnerability roughly exists for 3 years. since 1.2.4 version. On February 16, 2020, A patched version 1.6.2 was released. The user of ThemeGrill theme can get an automatic plugin update. And, WordPress also add a warning on the Dashboard with a notification to update their plugin.