This WordPress vulnerability could let hackers hijack your entire site

News
By
published

Users of the WP Database Reset plugin should upgrade to the latest version immediately

(Image credit: Pixabay)

A WordPress plugin has been discovered to contain “easily exploitable” security issues that could be leveraged by an attacker to gain complete control over vulnerable websites.

The plugin is called WP Database Reset and it is used to reset databases without having to go through the standard WordPress installation process. The security issue has the potential to affect many websites as the WordPress library says it is active on over 80,000 sites.

Two severe vulnerabilities were found by the Wordfense security team and either of these vulnerabilities can be used to force a full website reset or takeover according to the firm.

Wordfense's Chloe Chamberland explained just how damaging these vulnerabilities could be to websites in a blog post detailing the firm's findings, saying:

“A WordPress database stores all data that makes up the site including posts, pages, users, site options, comments, and more. With a few simple clicks and a couple of seconds, an unauthenticated user could wipe an entire WordPress installation clean if that installation was using a vulnerable version of this plugin.”

Critical security flaws

The first critical security flaw is tracked as CVE-2020-7048 and since none of the database reset functions were secured through any checks, it could allow any user to reset any database tables without authentication.

The other vulnerability discovered by Wordfense is tracked as CVE-2020-7047 and it allowed any authenticated users to grant themselves administrative privileges while also giving them the ability to “drop all other users from the table with a simple request”.

Wordfense first made WP Database Reset's developer aware of the security issues on January 8 after verifying their findings. The developer responded on January 13 and promised a patch would be released the next day and the vulnerabilities were publicly disclosed a few days later.

Users of the WP Database Reset plugin should updated to the latest version (version 3.15) as soon as possible to prevent having their website hijacked by hackers or wiped out completely.

Via ZDNet

TOPICS
Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Latest in Security
Woman shocked by online scam, holding her credit card outside
Cybercriminals used vendor backdoor to steal almost $600,000 of Taylor Swift tickets
Woman using iMessage on iPhone
UK government guidelines remove encryption advice following Apple backdoor spat
Cryptocurrencies
Ransomware’s favorite Russian crypto exchange seized by law enforcement
Wordpress brand logo on computer screen. Man typing on the keyboard.
Thousands of WordPress sites targeted with malicious plugin backdoor attacks
HTTPS in a browser address bar
Malicious "polymorphic" Chrome extensions can mimic other tools to trick victims
ransomware avast
Hackers spotted using unsecured webcam to launch cyberattack
Latest in News
WhatsApp
WhatsApp just made its AI impossible to avoid – but at least you can turn it off
ChatGPT vs Gemini comparison
I compared GPT-4.5 to Gemini 2.0 Flash and the results surprised me
Apple iPhone 16 Plus
Apple officially delays the AI-infused Siri and admits, ‘It’s going to take us longer than we thought’
The Meta Quest Pro on its charging pad on a desk, in front of a window with the curtain closed
Samsung, Apple and Meta want to use OLED in their next VR headsets – but only Meta has a plan to make it cheap
AMD Ryzen 9000 3D chips
AMD officially announces price and release date for Ryzen 9 9900X3D and 9950X3D processors
Google Pixel 9
There's something strange going on with Google Pixel phone vibrations after the latest update
More about security
Woman shocked by online scam, holding her credit card outside

Cybercriminals used vendor backdoor to steal almost $600,000 of Taylor Swift tickets
Cryptocurrencies

Ransomware’s favorite Russian crypto exchange seized by law enforcement
WhatsApp

WhatsApp just made its AI impossible to avoid – but at least you can turn it off
See more latest
Most Popular
WhatsApp
WhatsApp just made its AI impossible to avoid – but at least you can turn it off
Woman shocked by online scam, holding her credit card outside
Cybercriminals used vendor backdoor to steal almost $600,000 of Taylor Swift tickets
ChatGPT vs Gemini comparison
I compared GPT-4.5 to Gemini 2.0 Flash and the results surprised me
Brother HL-L2865DW during our review process
Brother denies claims it locked down third-party printer ink cartridges via forced firmware updates
Telo MT1
The anti-Cybertruck? This new electric pick-up is the size of a Mini and the cutest way to haul your gear
Apple iPhone 16 Plus
Apple officially delays the AI-infused Siri and admits, ‘It’s going to take us longer than we thought’
AMD Ryzen 9000 3D chips
AMD officially announces price and release date for Ryzen 9 9900X3D and 9950X3D processors
Microtik RDS2216 data server
This is Amazon's first foray in servers, and certainly not the last: MicroTik franken-router is powered by the AWS Graviton 1 Arm CPU
The Meta Quest Pro on its charging pad on a desk, in front of a window with the curtain closed
Samsung, Apple and Meta want to use OLED in their next VR headsets – but only Meta has a plan to make it cheap
Cryptocurrencies
Ransomware’s favorite Russian crypto exchange seized by law enforcement