A major issue was found in the WordPress plugin Hashthemes Demo Importer, which has over 8,000 active installations. Due to the bug, authenticated attackers can completely nullify vulnerable sites, destroying all content.
This plugin is designed to make it easy for administrators to import demo WordPress themes without installing any dependencies.
The bug was discovered by experts at Wordfence, who say that the plugin was unable to perform nonce checks correctly, which resulted in the AJAX nonce of the admin panel leaking for all users, “including users with low privileges, such as subscribers.”
As a result, any logged-in user with at least subscriber privileges could use the bug to erase all content from the site. It is noted, however, that the subscriber role on WordPress sites is often enabled and available to the masses so that registered users can leave comments. Usually, people with such rights can only edit their profile in the control panel but do not have access to other administrative pages.
“While many vulnerabilities can be devastating, it is impossible to restore a site where the vulnerability was exploited if the resource has not been previously backed up,” the researchers say. – Any logged-in user can run AJAX hdi_install_demo and set the reset option to true, which will cause the plugin to run the database_reset function. This function erases the database by truncating all database tables on the site (except wp_options, wp_users and wp_usermeta). After clearing the database, the plugin will run the clear_uploads function, which will remove all files and folders from wp-content and uploads. “
Although Wordfence experts notified the plugin development team of the issue back in August 2021, the developers did not respond to their messages for almost a month. In September, this prompted Wordfence to reach out to the WordPress plugin troubleshooting team, who submitted the patch on September 24th. Interestingly, the authors of the Hashthemes Demo Importer still haven’t even mentioned the 1.1.2 release or the patch in the changelog.
Catch up on more stories here
Follow us on Facebook here