Wordfence warns of WordPress plugin vulnerability allowing site deletion

By /

Researchers at Wordfence warned of a vulnerability (CVE-2021-39333) affecting a known WordPress plugin. The plugin, HashThemes Demo Importer, has a vulnerability (rated 8.1 on the CVSS scale) that, when exploited, can cause a full reset of a WordPress site. This effectively would wipe any trace of prior data on a WordPress webpage, regardless if it is written word or forms of media.

This latest plugin vulnerability is one of several that has plagued the popular WordPress blog-building program over the past few years.

Wordfence explains in the following excerpt the core cause of the HashThemes Demo Importer vulnerability:

The Hashthemes demo importer plugin failed to perform capability checks for many of its AJAX actions. While it did perform a nonce check, the AJAX nonce was visible in the admin dashboard for all users, including low-privileged users such as subscribers. The most severe consequence of this was that a subscriber-level user could reset all of the content on a given site.

 

Any logged-in user could trigger the hdi_install_demo AJAX function and provide a parameter set to true, resulting in the plugin running it’s database_reset function. This function wiped the database by truncating every database table on the site except for wp_options, wp_users, and wp_usermeta. Once the database was wiped, the plugin would then run its clear_uploads function, which deleted every file and folder in wp-content/uploads.

Users of Wordfence Premium were protected from this via a firewall alteration. Wordfence also states in their post that they first contacted the developers of HashThemes in late August. It took the developers a month to respond, and when they finally did, they released a patch that they neglected to mention in their changelog. The most up-to-date patch is, as of this article’s writing, patch 1.1.2. The best course of action is to install the HashThemes Demo Importer update if you have not already done so. There are no workarounds for this vulnerability so, the quicker, the better.

Featured image: Shutterstock

About The Author

Derek Kortepeter is a graduate of UCLA and tech journalist. Kortepeter specializes in areas such as cyber defense, privacy rights, cyber warfare, and governmental InfoSec policy.

Read Next

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top