A vulnerability in Hashthemes Demo Importer, a WordPress plugin with over 7,000 installations was reported by WordFence recently.
This vulnerability allowed any authenticated user to completely reset a site, permanently deleting nearly all database content as well as all uploaded media.
The plugin was temporarily removed from the WordPress plugin repository on September 20, 2021, and a patched version, 1.1.2, was made available on September 24, 2021
The Hashthemes demo importer plugin failed to perform capability checks for many of its AJAX actions. While it did perform a nonce check, the AJAX nonce was visible in the admin dashboard for all users, including low-privileged users such as subscribers. The most severe consequence of this was that a subscriber-level user could reset all of the content on a given site.
Any logged-in user could trigger the hdi_install_demo
AJAX function and provide a reset
parameter set to true
, resulting in the plugin running it’s database_reset
function. This function wiped the database by truncating every database table on the site except for wp_options
, wp_users
, and wp_usermeta
. Once the database was wiped, the plugin would then run its clear_uploads function, which deleted every file and folder in wp-content/uploads
.
Details at: https://www.wordfence.com/blog/2021/10/site-deletion-vulnerability-in-hashthemes-plugin