This vicious WordPress plugin bug could wipe your whole site

WordPress flaw has been fixed, but the developer has failed to acknowledge the existence of the vulnerability

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Cybersecurityresearchers have helped patch a high-severity rated security flaw in a popularWordPress plugin, which could be exploited to completely wipe and reset any vulnerableWordpress website.

Discovered byWordpress securityexpertsWordfence, the vulnerability exists in the Hashthemes Demo Importer plugins that boasts of more than 8,000 active installs, and is designed to help admins import demos forWordPress themeswith a single click.

According to Wordfence’s QA engineer and threat analyst Ram Gall, the flaw gives any authenticated attacker, even the subscriber-level user with minimal permissions, the ability to resetWordPress sitesby zapping virtually all its databases and uploaded media.

Improper checks

Improper checks

According to Gall, the vulnerability exists because the flawed Hashthemes demo importer plugin failed to adequately perform the capability checks for many of its AJAX actions.

“While it did perform a nonce check, the AJAX nonce was visible in the admin dashboard for all users, including low-privileged users such as subscribers. The most severe consequence of this was that a subscriber-level user could reset all of the content on a given site,”notedGall.

He says that if exploited, the flaw would render a website running the vulnerable plugin completely unrecoverable, unless of course its owners had properly backed it up.

Gall also notes that they first brought the issue to the plugin’s developer, which failed to elicit any response. They then raised it with the WordPress plugins team, which temporarily removed the plugin from its store.

Are you a pro? Subscribe to our newsletter

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

However, while a corrected version was uploaded by the plugin’s developer a few days later, Gall notes that the new version’s change log failed to mention the change.

Easily build a website with thesebest Wordpress website builders, and use one of thebest Wordpress ecommerce pluginsto construct an online store without much effort.

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

NYT Strands today — hints, answers and spangram for Sunday, November 10 (game #252)