Auth Bypass Vulnerability in ThemeGrill's Demo Importer Plugin Could Lead to Administrator Access
CVE-2020-36837

9.9CRITICAL

Key Information:

Vendor: WordPress
Status: Themegrill Demo Importer
Vendor: CVE Published:; 16 October 2024

What is CVE-2020-36837?

The ThemeGrill Demo Importer plugin for WordPress has a vulnerability that allows authenticated attackers to bypass security measures due to insufficient capability checks in the reset_wizard_actions function. This weakness exists in versions ranging from 1.3.4 to 1.6.1. Exploiting this flaw enables attackers to reset the WordPress database, and if an 'admin' user exists, they can gain automatic administrative privileges, posing serious risks to website integrity.

Affected Version(s)

ThemeGrill Demo Importer 1.3.4 <= 1.6.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://www.webarxsecurity.com/critical-issue-in-themegri...

https://www.openwall.com/lists/oss-security/2020/02/19/1

CVSS V3.1

Score:

9.9

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 16, 2024
Vulnerability Reserved
Oct 15, 2024

Credit

Dave Jong

CVE-2020-36837 Data

JSON