Site Deletion Vulnerability Patches In Hashthemes Plugin
This vulnerability allowed any authenticated user to completely reset a site, permanently deleting nearly all database content as well as all uploaded media.
The Hashthemes demo importer plugin failed to perform capability checks for many of its AJAX actions. While it did perform a nonce check, the AJAX nonce was visible in the admin dashboard for all users, including low-privileged users such as subscribers. The most severe consequence of this was that a subscriber-level user could reset all of the content on a given site.
Any logged-in user could trigger the
hdi_install_demo AJAX function and provide a
reset parameter set to
true, resulting in the plugin running it’s
database_reset function. This function wiped the database by truncating every database table on the site except for
wp_usermeta. Once the database was wiped, the plugin would then run its clear_uploads function, which deleted every file and folder in
If you know a friend or colleague who is using this plugin on their site, please forward this advisory to them to help keep their sites protected as these vulnerabilities can lead to a complete site takeover.