The Wordfence Threat Intelligence team responsibly disclosed a vulnerability in Hashthemes Demo Importer, a WordPress plugin with over 7,000 installations.

This vulnerability allowed any authenticated user to completely reset a site, permanently deleting nearly all database content as well as all uploaded media.

The Hashthemes demo importer plugin failed to perform capability checks for many of its AJAX actions. While it did perform a nonce check, the AJAX nonce was visible in the admin dashboard for all users, including low-privileged users such as subscribers. The most severe consequence of this was that a subscriber-level user could reset all of the content on a given site.

Buy Me A Coffee

Any logged-in user could trigger the hdi_install_demo AJAX function and provide a reset parameter set to true, resulting in the plugin running it’s database_reset function. This function wiped the database by truncating every database table on the site except for wp_optionswp_users, and wp_usermeta. Once the database was wiped, the plugin would then run its clear_uploads function, which deleted every file and folder in wp-content/uploads.

If you know a friend or colleague who is using this plugin on their site, please forward this advisory to them to help keep their sites protected as these vulnerabilities can lead to a complete site takeover.

READ
Fighting Back: Essential Steps to Take After a Ransomware Attack