BEST OF THE WEB

WordPress Plugin Bug Enables Subscribers To Wipe Sites

A serious vulnerability in the Hashthemes Demo Importer, a WordPress plugin with more than 8,000 active installations, may allow authenticated attackers to reset and erase target websites.

The Hashthemes Demo Importer plugin is installed to help admins import demos for WordPress themes with a single and no further dependencies.

The security bug enables authenticated attackers to reset WordPress pages and delete almost all database contents and uploaded media.

Ram Gall, Wordfence QA engineer and threat analyst, explained that the plugin could not be properly verified once, causing the AJAX nonce on the admin dashboard of vulnerable websites to leak to all users, “including low privileged users such as subscribers.”

As a result, logged-in subscriber users could exploit the vulnerability to delete all content on websites with unpatched versions of Hashthemes Demo Importer.

While Wordfence reported the bug to the plugin’s development team in August, the developers did not address the vulnerability for the next month.

This prompted Wordfence to contact the WordPress plugins team on September 20, which resulted in the plugin being removed on the same day and a patch being released four days later to fix the bug.

Nevertheless, the developer of the Hashthemes Demo Importer did not announce version 1.1. 2 release or the update on the plugin’s changelog page despite releasing a security update.

IT World Canada Staff
IT World Canada Staffhttp://www.itworldcanada.com/
The online resource for Canadian Information Technology professionals.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web