A high-severity security vulnerability in a WordPress plugin with more than 8,000 installations has allowed an attacker to reset or wipe a website.
On August 25, 2021, the Wordfence Threat Intelligence team began the process of disclosing a vulnerability in the Hashthemes Demo Importer, a WordPress plugin with over 7,000 installations. Importer, a WordPress plugin with over 7,000 installations.
This vulnerability allows any authenticated user to completely reset the site, permanently deleting almost all database content and all uploaded media.
This plugin, called Hashthemes Demo Importer, is designed to allow administrators to import WordPress theme demos without the need to install any dependency software.
This security bug allows an attacker to reset a WordPress site and delete almost all database content and uploaded media.
Ram Gall, who is also a threat analyst, explains that this plugin fails to perform the nonce check properly and the AJAX nonce leaks to all users on the vulnerable site’s admin panel.
As a result of this vulnerability, a logged-in subscriber-level user can erase all content on a site running an unpatched version of the Hashthemes Demo Importer.
Although most vulnerabilities are potentially destructive, sites that are exploited by this vulnerability are impossible to recover from unless they are backed up.
Any logged in user can invoke the hdi_install_demo AJAX function and set the reset parameter to true, which will execute the plugin’s database_reset function.
This function clears the database by truncating all the database tables of the site except wp_options, wp_users and wp_usermeta.
When the database is cleared, the plugin will execute the clear_uploads function to delete all files and folders in wp-content/uploads.
Subscriber users are one of the types of users that can wipe out vulnerable sites. They are the default user role in WordPress (as well as Contributor, Author, Editor, and Administrator) and are often enabled on WordPress sites to allow registered users to write comments in the comments section of the website. It is often enabled on WordPress sites to allow registered users to write comments in the comments section of the website.
Normally registered users can only edit their own profile using the site’s dashboard and do not have access to any other administrative pages.
Wordfence reported this vulnerability and bug to the plugin’s development team on August 25, 2021, but the developers did not respond to the disclosure message for about a month.
For this reason, Wordfence contacted the WordPress plugin team on September 20, removed the plugin the same day, and released a patch to address the bug four days later on September 24.
However, the developers of Hashthemes Demo Importer did not mention the 1.1.2 release or update on the plugin changelog page, even though they have released a security update.