cbcvebase.
CVE-2020-36333
published 2021-05-05

CVE-2020-36333: themegrill-demo-importer before 1.6.2 does not require authentication for wiping the database, because of a reset_wizard_actions hook.

PriorityP182critical9.1CVSS 3.1
AVNACLPRNUINSUCNIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.43%
87.4th percentile
themegrill-demo-importer before 1.6.2 does not require authentication for wiping the database, because of a reset_wizard_actions hook.

Affected

1 ranges
VendorProductVersion rangeFixed in
themegrillthemegrill_demo_importer< 1.6.21.6.2

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-post.php?do_reset_wordpress=1
path/plugins/themegrill-demo-importer
  • HTTP GET request to /wp-admin/admin-post.php with do_reset_wordpress=1 parameter (no authentication required) triggers database wipe
  • Successful exploitation returns HTTP 302 redirect with both 'wordpress_logged_in_' and 'reset=true' present in response headers, and an empty body
  • The vulnerable hook is reset_wizard_actions; monitor WordPress action hooks for unauthenticated calls to this hook
  • After successful exploitation, the attacker is automatically logged in as administrator — look for unexpected admin session cookies (wordpress_logged_in_*) immediately following a reset=true redirect
  • ·Vulnerability only affects ThemeGrill Demo Importer versions 1.3.4 through 1.6.1 (inclusive); versions below 1.3.4 and 1.6.2+ are not affected

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:P
vulncheck9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.