Discovered by Wordpress security experts Wordfence, the vulnerability exists in the Hashthemes Demo Importer plugins that boasts of more than 8,000 active installs, and is designed to help admins import demos for WordPress themes with a single click.
According to Wordfence’s QA engineer and threat analyst Ram Gall, the flaw gives any authenticated attacker, even the subscriber-level user with minimal permissions, the ability to reset WordPress sites by zapping virtually all its databases and uploaded media.
According to Gall, the vulnerability exists because the flawed Hashthemes demo importer plugin failed to adequately perform the capability checks for many of its AJAX actions.
“While it did perform a nonce check, the AJAX nonce was visible in the admin dashboard for all users, including low-privileged users such as subscribers. The most severe consequence of this was that a subscriber-level user could reset all of the content on a given site,” noted Gall.
He says that if exploited, the flaw would render a website running the vulnerable plugin completely unrecoverable, unless of course its owners had properly backed it up.
Gall also notes that they first brought the issue to the plugin’s developer, which failed to elicit any response. They then raised it with the WordPress plugins team, which temporarily removed the plugin from its store.
However, while a corrected version was uploaded by the plugin’s developer a few days later, Gall notes that the new version’s change log failed to mention the change.