By 
The plugin to eliminate a serious bug that gives admin privileges to unverified users has been updated by the developers of the ThemeGrill Demo Importer for WordPress.
While getting logged in as an administrator, the cyberthieves also reestablish the site’s whole database to its default state.
Used for easy import of ThemeGrill themes demo content, widgets, and settings, the component exists on more than 200,000 WordPress sites. A susceptible version runs on most of them.
Wiping the database of a susceptible site needs a theme developed by ThemeGrill to be active. Since the plugin is installed, there is an opportunity that a theme from the developer is active.
Getting logged in automatically as an administrator account also has a criterion, which is the attendance in the dropped database of a user called “admin,” note the researchers from WebARX, a web security company that provides vulnerability discovery and virtual patching software to keep websites safe from bugs in third-party components.
The investigators clarify that the ‘admin_init’ hook runs in the admin setting and also calls to ‘/wp-admin/admin-ajax.php’ that does not need an authentic user.
The lack of verification is what makes misuse possible. An unauthenticated attacker could use this to be logged in, if the “admin” user exists in the database, and drop all the WordPress tables that start with a defined database preface.
