Authenticated attackers may reset and delete affected websites because of a severe security flaw discovered in a WordPress plugin with over 8,000 current installs.
Hashthemes Demo Importer is the plugin that allows administrators to import demos for WordPress themes with a single click without dealing with any dependencies.
Authenticated attackers might use the security flaw to reset WordPress sites and erase practically all uploaded media and database content.
According to Wordfence QA engineer and threat analyst Ram Gall, the plugin fails to execute nonce checks properly, revealing the AJAX nonce on susceptible sites’ admin dashboard for all users, to “even low-privileged users like subscribers.”
As a direct result of this flaw, logged-in subscriber-level users may use it to erase all material from sites using unpatched Hashthemes Demo Importer versions.
Gall also said that while most flaws can be damaging, it would be impossible to restore a site that had been compromised using this bug, unless it had been backed up.
“While most vulnerabilities can have destructive effects, it would be impossible to recover a site where this vulnerability was exploited unless it had been backed up,” Gall added. “Any logged-in user could trigger the hdi_install_demo AJAX function and provide a reset parameter set to true, resulting in the plugin running it’s database_reset function. This function wiped the database by truncating every database table on the site except for wp_options, wp_users, and wp_usermeta. Once the database was wiped, the plugin would then run its clear_uploads function, which deleted every file and folder in wp-content/uploads,” said Ram Gall.
Subscribers often only have access to the site’s dashboard to change their profile, with no access to other admin pages.
While Wordfence notified the plugin’s development team of the vulnerability on August 25, 2021, the developers did not respond to the disclosure notifications for over a month.
Wordfence contacted the WordPress plugins team on September 20, prompting the plugin’s removal the same day and the release of a bug-fixing version four days later, on September 24.
Hashthemes Demo Importer’s creator did not disclose the 1.1.2 release or the patch on the plugin’s changelog page despite delivering a security upgrade.