This vicious WordPress plugin bug could wipe your whole site
WordPress flaw has been fixed, but the developer has failed to acknowledge the existence of the vulnerability
Cybersecurity researchers have helped patch a high-severity rated security flaw in a popular WordPress plugin, which could be exploited to completely wipe and reset any vulnerable Wordpress website.
Discovered by Wordpress security experts Wordfence, the vulnerability exists in the Hashthemes Demo Importer plugins that boasts of more than 8,000 active installs, and is designed to help admins import demos for WordPress themes with a single click.
According to Wordfence’s QA engineer and threat analyst Ram Gall, the flaw gives any authenticated attacker, even the subscriber-level user with minimal permissions, the ability to reset WordPress sites by zapping virtually all its databases and uploaded media.
Improper checks
According to Gall, the vulnerability exists because the flawed Hashthemes demo importer plugin failed to adequately perform the capability checks for many of its AJAX actions.
“While it did perform a nonce check, the AJAX nonce was visible in the admin dashboard for all users, including low-privileged users such as subscribers. The most severe consequence of this was that a subscriber-level user could reset all of the content on a given site,” noted Gall.
He says that if exploited, the flaw would render a website running the vulnerable plugin completely unrecoverable, unless of course its owners had properly backed it up.
Gall also notes that they first brought the issue to the plugin’s developer, which failed to elicit any response. They then raised it with the WordPress plugins team, which temporarily removed the plugin from its store.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
However, while a corrected version was uploaded by the plugin’s developer a few days later, Gall notes that the new version’s change log failed to mention the change.
Easily build a website with these best Wordpress website builders, and use one of the best Wordpress ecommerce plugins to construct an online store without much effort.
With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.