A security issue in a popular WordPress plugin has left some 100,000 websites vulnerable to being completely wiped.

Security firm WebARX discovered a flaw in the ThemeGrill Demo Importer plugin. The plugin imports other plugins developed by ThemeGrill. When WebARX first discovered the flaw, some 200,000 websites had the plugin installed, although that number has now dropped to 100,000. This is likely due to companies uninstalling the plugin to mitigate the risk.

To make matters worse, this vulnerability is being actively exploited. WebARX has already stopped over 16,000 attacks attempting to exploit the plugin.

“This is a serious vulnerability and can cause a significant amount of damage,” writes WebARX. “Since it requires no suspicious-looking payload just like our previous finding in InfiniteWP, it is not expected for any firewall to block this by default and a special rule needs to be created to block this vulnerability.”

ThemeGrill has updated the plugin to fix the vulnerability. All impacted sites would install the new version immediately.