[ad_1]
A excessive severity safety flaw present in a WordPress plugin with greater than 8,000 lively installs can let authenticated attackers reset and wipe susceptible web sites.
The plugin in query, often known as Hashthemes Demo Importer, is designed to assist admins import demos for WordPress themes with a single, with out coping with putting in any dependencies.
The safety bug would permit authenticated attackers to reset WordPress websites and delete nearly all database content material and uploaded media.
Wordfence QA engineer and menace analyst Ram Gall defined that the plugin did not correctly carry out nonce checks, leaking the AJAX nonce on susceptible websites’ admin dashboard for all customers, “together with low-privileged customers corresponding to subscribers.”
As a direct consequence of this bug, logged-in subscriber-level customers may abuse it to wipe all of the content material on websites working unpatched variations of Hashthemes Demo Importer.
“Whereas most vulnerabilities can have harmful results, it will be unimaginable to get well a website the place this vulnerability was exploited until it had been backed up,” Gall added.
Any logged-in person may set off the hdi_install_demo AJAX perform and supply a reset parameter set to true, ensuing within the plugin working it’s database_reset perform. This perform wiped the database by truncating each database desk on the positioning aside from wp_options, wp_users, and wp_usermeta. As soon as the database was wiped, the plugin would then run its clear_uploads perform, which deleted each file and folder in wp-content/uploads. — Ram Gall
Subscriber, one of many sorts of customers who may wipe susceptible websites, is a default WordPress person position (simply as Contributor, Creator, Editor, and Administrator) typically enabled on WordPress websites to permit registered customers to jot down feedback on the web site’s remark part.
They’d usually solely be capable to edit their profile utilizing the positioning’s dashboard with out entry to different admin pages.
Whereas Wordfence reported the vulnerability the bug to the plugin’s growth crew on August 25, 2021, the builders didn’t reply to the disclosure messages for nearly a month.
This prompted Wordfence to succeed in out to the WordPress plugins crew on September 20, which led to the plugin’s removing the identical day and the discharge of a patch addressing the bug 4 days later, on September 24.
Nonetheless, Hashthemes Demo Importer’s developer didn’t point out the 1.1.2 launch or the replace on the plugin’s changelog web page regardless of releasing a safety replace.
[ad_2]