Cybersecurity researchers have helped patch a high-severity rated security flaw in a popular WordPress plugin, which could be exploited to completely wipe and reset any vulnerable Wordpress website.
Discovered by Wordpress security experts Wordfence, the vulnerability exists in the Hashthemes Demo Importer plugins that boasts of more than 8,000 active installs, and is designed to help admins import demos for WordPress themes with a single click.
According to Wordfence’s QA engineer and threat analyst Ram Gall, the flaw gives any authenticated attacker, even the subscriber-level user with minimal permissions, the ability to reset WordPress sites by zapping virtually all its databases and uploaded media.
Improper checks
According to Gall, the vulnerability exists because the flawed Hashthemes demo importer plugin failed to adequately perform the capability checks for many of its AJAX actions.
“While it did perform a nonce check, the AJAX nonce was visible in the admin dashboard for all users, including low-privileged users such as subscribers. The most severe consequence of this was that a subscriber-level user could reset all of the content on a given site,” noted Gall.
He says that if exploited, the flaw would render a website running the vulnerable plugin completely unrecoverable, unless of course its owners had properly backed it up.
Gall also notes that they first brought the issue to the plugin’s developer, which failed to elicit any response. They then raised it with the WordPress plugins team, which temporarily removed the plugin from its store.
However, while a corrected version was uploaded by the plugin’s developer a few days later, Gall notes that the new version’s change log failed to mention the change.
Easily build a website with these best Wordpress website builders, and use one of the best Wordpress ecommerce plugins to construct an online store without much effort.
