WordPress Plugin Bug Lets Subscribers Wipe Sites

A high-severity security flaw found in a WordPress plugin that has 8,000+ active installs can allow authenticated attackers to reset and wipe vulnerable websites.

This plugin, Hashthemes Demo Importer, was developed to assist admins when importing demos for WordPress themes to import the full demo with one click.

According to Wordfence’s QA engineer and threat analyst Ram Gall, “The flaw gives any authenticated attacker, even the subscriber-level user with minimal permissions, the ability to reset WordPress sites by zapping virtually all its databases and uploaded media.” He goes on to say that “if exploited, the flaw would render a website running the vulnerable plugin completely unrecoverable, unless of course its owners had properly backed it up.”

Note that a corrected version (version 1.0.7) has been uploaded by the plugin’s developer.

While this vulnerability is specific to WordPress users, it’s a prime example that plugins expand the attack surface. OneNeck CISO Katie McCullough states, “Best practice is to use the fewest number of plugins needed to complete work, and uninstall any plugins not being used. And specific to this vulnerability, ensure WordPress and plugins are updated to the latest versions and have the most recent patches applied.”

An effective security defense really starts with the basics. As Katie states, “Some companies think they can deploy patches on a quarterly basis or put them off indefinitely because they want to avoid downtime, but we’ve seen how costly such decisions can be.”

So, moral of the story, be diligent in your updates and patching. Good cyber hygiene can be what keeps your organization safe from bad actors.

Interested in talking to one of our security experts? Contact us today.