“Vicious” WordPress Plugin Bug Could Erase Your Whole Site

Researchers have aided update a high-severity security flaw in a popular WordPress plugin, which may be exploited to completely wipe and reset any vulnerable WordPress website.

The vulnerability is located in the Hashthemes Demo Importer plugins, which claim more than 8,000 active installations and is meant to allow administrators to import demos for WordPress themes with a single click.

The vulnerability allows any authenticated intruder, even a subscriber-level user with minimal capabilities, to reset WordPress sites by deleting virtually all of the databases and uploading a video.

Incomplete checks

According to Gall, the vulnerability exists because the flawed Hashthemes demo importer plugin failed to adequately perform the capability checks for many of its AJAX actions.

“While it did perform a nonce check, the AJAX nonce was visible in the admin dashboard for all users, including low-privileged users such as subscribers. The most severe consequence of this was that a subscriber-level user could reset all of the content on a given site,” noted Gall.

According to Gall, if the vulnerability were exploited, a website utilizing the vulnerable plugin would become completely unrecoverable unless its owners had properly backed it up.

They also stated that they alerted the WordPress plugins team about the problem after first bringing it to the plugin’s developer, but there was no response.

They subsequently emailed the WordPress plugins crew, which removed the plugin from its store in order to examine it.

However, while the plugin’s developer updated the corrected version a few days later, Gall claims that the changelog for the new version failed to mention it.