WordPress Plugin Flaw Allows Subscribers to Wipe Entire Sites

A vulnerability has been identified in the Hashthemes Demo Importer WordPress Plugin which could be exploited by an authenticated user to wipe the site. Exploiting the flaw would allow a user to delete all uploaded media and virtually all content databases.

The Hashthemes Demo Importer plugin allows WordPress admins to import demos for WordPress themes with a single click without having to bother installing any dependencies such as XML files and .wie widget files. The plugin has been installed on approximately 8,000 WordPress sites.

The vulnerability was identified by researchers at Wordfence which alerted the developer to the high severity flaw, but no response was received. After almost a month without a response, Wordfence notified the WordPress plugin team about the flaw, and the plugin was removed from the repository the same day. A new version of the plugin with the vulnerability patched was added a few days later on September 24, although no mention of the bug was made in the changelog page of the plugin, despite the update addressing a serious security issue.

The issue with the plugin was the failure to properly perform nonce checks, with the plugin leaking AJAX nonce on the admin dashboard of vulnerable sites for all users, including users with low-level privileges such as subscribers.

Subscriber is a default role that is often enabled on WordPress sites to allow comments to be posted. Subscribers have very low-level privileges, such as the ability to edit their profile. The flaw meant that a subscriber logged in on a vulnerable WordPress site could reset it and wipe virtually all content on the site. If the vulnerability was exploited, it would be impossible to recover the content unless a backup had been made.

According to Wordfence QA engineer Ram Gall, “Any logged-in user could trigger the hdi_install_demo AJAX function and provide a reset parameter set to true, resulting in the plugin running its database_reset function. This function wiped the database by truncating every database table on the site except for wp_options, wp_users, and wp_usermeta. Once the database was wiped, the plugin would then run its clear_uploads function, which deleted every file and folder in wp-content/uploads.”

The fixed version of the plugin is version 1.1.2. If you use the Hashthemes Demo Importer WordPress Plugin, update it to the latest version immediately and while you are at it, it would be a good idea to create a backup of your site.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news