Site Deletion Vulnerability in Hashthemes Plugin

A vulnerability in Hashthemes Demo Importer, a WordPress plugin with over 7,000 installations was reported by WordFence recently.

This vulnerability allowed any authenticated user to completely reset a site, permanently deleting nearly all database content as well as all uploaded media.

The plugin was temporarily removed from the WordPress plugin repository on September 20, 2021, and a patched version, 1.1.2, was made available on September 24, 2021

The Hashthemes demo importer plugin failed to perform capability checks for many of its AJAX actions. While it did perform a nonce check, the AJAX nonce was visible in the admin dashboard for all users, including low-privileged users such as subscribers. The most severe consequence of this was that a subscriber-level user could reset all of the content on a given site.

Any logged-in user could trigger the hdi_install_demo AJAX function and provide a reset parameter set to true, resulting in the plugin running it’s database_reset function. This function wiped the database by truncating every database table on the site except for wp_optionswp_users, and wp_usermeta. Once the database was wiped, the plugin would then run its clear_uploads function, which deleted every file and folder in wp-content/uploads.

Details at: https://www.wordfence.com/blog/2021/10/site-deletion-vulnerability-in-hashthemes-plugin

Posted in Vulnerability.