Cybersecurity researchers helped fix a high-severity security flaw in a popular WordPress plugin, which could be exploited to completely remove and reset any vulnerable Wordpress website. Discovered by security experts at Wordpress Wordfence, the vulnerability exists in Hashthemes Demo Importer plugins, which has more than 8,000 active installations and is designed to help admins import demos for WordPress themes with just one click. According to Wordfence QA engineer and threat analyst Ram Gall, the flaw gives any authenticated attacker, even the subscriber-level user with minimal permissions, the ability to reset WordPress sites by wiping out virtually all of their databases, downloaded data and media.
Incorrect controls
According to Gall, the vulnerability exists because the faulty Hashthemes demo import plugin was unable to successfully perform capability checks for many of its AJAX actions. “Even though you did a nonce check, the AJAX nonce was visible in the admin panel to all users, including low-privilege users like subscribers. The most serious consequence of this was that a subscriber level user could reset all content on a given site,” Gall noted. He says that if exploited, the flaw would render a website running the vulnerable plugin completely unrecoverable, unless of course it is properly backed up by its owners. Gall also points out that they first reported the issue to the plugin developer, which he got no response from. They then raised it with the WordPress plugin team, who temporarily removed the plugin from their store. However, although the plugin's developer uploaded a fixed version a few days later, Gall points out that the changelog for the new version did not mention the change. Easily create a website with these best Wordpress website builders and use one of the best Wordpress eCommerce plugins to create an online store without much effort.