Nov 2, 2021
128 Views
0 0

WordPress Plugin Bug Lets Subscribers Wipe Sites

Written by

Newsletter
Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
Share this article:
The flaw, found in the Hashthemes Demo Importer plugin, allows any authenticated user to exsanguinate a vulnerable WordPress site, deleting nearly all database content and uploaded media.
Researchers have discovered a homicidal WordPress plugin that allows subscribers to wipe sites clean of content.
The high-severity security flaw is found in Hashthemes Demo Importer, a plugin that’s used in more than 8,000 active installations.
According to security researchers at Wordfence, the vulnerability allows any authenticated user to completely exsanguinate a vulnerable site, “permanently deleting nearly all database content as well as all uploaded media.”

The HashThemes Demo Importer plugin is designed to let admins easily import demos for WordPress themes with a single click, without having to deal with dependencies such as XML files, .json theme options,.dat customizer files or .wie widget files.
In a Tuesday writeup, Wordfence’s Ram Gall said that the Wordfence Threat Intelligence team initiated the disclosure process for the bug on Aug. 25. For nearly a month, the developer failed to respond, so Wordfence got in touch with the WordPress plugins team on Sept. 20.
On the same day, the WordPress crew temporarily removed the Hashthemes Demo Importer from the repository, and a patched version was made available a few days later, on Sept. 24, although the plugin’s changelog makes no mention of it.
Wordfence’s Gall explained that the Hashthemes demo importer plugin hadn’t performed capability checks for many of its Ajax actions. Ajax is a JavaScript-based technology that allows a web page to fetch new information and present itself without refreshing the page.
“While it did perform a nonce check, the AJAX nonce was visible in the admin dashboard for all users, including low-privileged users such as subscribers,” according to the Wordfence writeup. “The most severe consequence of this was that a subscriber-level user could reset all of the content on a given site.
Specifically, any logged-in user could trigger the hdi_install_demo Ajax function and provide a reset parameter set to true, Gall wrote, resulting in the plugin running its database_reset function.
“This function wiped the database by truncating every database table on the site except for wp_options, wp_users, and wp_usermeta,” Gall continued. “Once the database was wiped, the plugin would then run its clear_uploads function, which deleted every file and folder in wp-content/uploads.”
Gall said that the vulnerability should remind us of the importance of backups for a site’s security. “While most vulnerabilities can have destructive effects, it would be impossible to recover a site where this vulnerability was exploited unless it had been backed up,” he wrote. Given that the vulnerability can lead to complete site takeover, he asked that if you know of somebody using this plugin on their site, please do give them a heads-up.
Rick Holland, CISO and vice president of strategy at digital risk protection vendor Digital Shadows, noted that the plugin vulnerability highlights the increased attack surface that third-party code ushers in, as do browser extensions.
That’s up to software vendors to deal with: “Software companies are responsible for their code and the code that runs on top of their code,” Holland told Threatpost via email.
Jake Williams, co-founder and CTO at incident response firm BreachQuest, said that the incident highlights the complexity of vulnerability management. “Not only do organizations need to know the content management systems they are running, but also the plugins that are running on those systems too,” he told Threatpost on Wednesday. “This is yet another example of supply chain security where the WordPress system was trustworthy, but the plugin (which the security team probably doesn’t even know was installed) left them vulnerable.”
Williams also noted that this kind of flaw attracts jerks, as opposed to financially motivated attackers. “I don’t think the majority of threat actors are interested in wiping databases and content in WordPress sites,” he told Threatpost on Wednesday. “It’s counter to the goals of most threat actors. That said, I do expect that some people will go and target these systems for fun, so it is a serious risk.”
Holland concurred: “Destructive threat actors, hacktivists, or actors deleting sites for the ‘lulz’ would be most interested in this sort of vulnerability,” he said.
It wouldn’t be tough to take advantage of such a flaw, either, Holland added: “Exploiting this vulnerability does require authentication, but given password use and account takeovers, that bar isn’t as high as it should be.”
Leo Pate, managing consultant at application security company nVisium, noted that WordPress is just like any software: Namely, it’s made by fallible humans. “Its developers and those that make WordPress components, such as plugins and templates, are bound to make mistakes,” he said in an email to Threatpost on Wednesday. He sent over the following cheatsheet on how to look holistically at a WordPress environment and how to incorporate security into all of its components: server, network and app layers.
His advice includes:
Within the WordPress plugin portal, users can see information that includes:
Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.
Share this article:
Anti-dumping code kept investors from selling SQUID while fraudsters cashed out.
Google’s Android November 2021 security updates plug 18 flaws in the framework and system components and 18 more in the kernel and vendor components.
‘Shrootless’ allows bypass of System Integrity Protection IT security measures to install a malicious rootkit that goes undetected and performs arbitrary device operations.
Patrick Pradhan on



This site uses Akismet to reduce spam. Learn how your comment data is processed.
Join thousands of people who receive the latest breaking cybersecurity news every day.
The @FBI says #ransomware gangs are targeting companies leading up to “significant, time-sensitive financial events… https://t.co/cNZg8oSdlb
14 mins ago
Get the latest breaking news delivered daily to your inbox.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.

source

Article Categories:
Vulnerabilities

Comments are closed.