A vulnerability in Hashthemes Demo Importer, a WordPress plugin with over 7,000 installations was reported by WordFence recently.
This vulnerability allowed any authenticated user to completely reset a site, permanently deleting nearly all database content as well as all uploaded media.
The plugin was temporarily removed from the WordPress plugin repository on September 20, 2021, and a patched version, 1.1.2, was made available on September 24, 2021
The Hashthemes demo importer plugin failed to perform capability checks for many of its AJAX actions. While it did perform a nonce check, the AJAX nonce was visible in the admin dashboard for all users, including low-privileged users such as subscribers. The most severe consequence of this was that a subscriber-level user could reset all of the content on a given site.
Any logged-in user could trigger the
hdi_install_demo AJAX function and provide a
reset parameter set to
true, resulting in the plugin running it’s
database_reset function. This function wiped the database by truncating every database table on the site except for
wp_usermeta. Once the database was wiped, the plugin would then run its clear_uploads function, which deleted every file and folder in