This vicious WordPress plugin bug could wipe out your entire site

0

Cyber ​​security researchers helped fix a high-severity security vulnerability in a WordPress plugin, which could be exploited to completely erase and reset any vulnerable item wordpress site.

Discovered by WordPress security experts Wordfence, the vulnerability exists in the Hashthemes Demo Importer plugins which boasts of over 8,000 active installations, and is designed to help administrators import demos for WordPress Themes with a single click.

According to Wordfence quality engineer and threat analyst Ram Gall, the flaw gives any authenticated attacker, even the subscriber-level user with minimal permissions, the ability to reset WordPress sites by zapping virtually all of its downloaded databases and media.

Incorrect controls

According to Gall, the vulnerability exists because the faulty Hashthemes demo import plug-in failed to properly perform capacity checks for many of its AJAX actions.

“Although he performed a nonce check, the AJAX nonce was visible in the admin dashboard to all users, including low-privileged users such as subscribers. The most serious consequence of this was that a subscriber level user could reset all of the content on a given site ”, Noted Gall.

He says that if exploited, the flaw would make a website running the vulnerable plugin completely unrecoverable, unless of course its owners properly backed it up.

Gall also notes that they first reported the issue to the developer of the plugin, which did not elicit any response. They then raised it with the WordPress plugins team, who temporarily removed the plugin from their store.

However, while a corrected version was uploaded by the developer of the plugin a few days later, Gall notes that the changelog for the new version did not mention the change.

Easily build a website with these best WordPress website builders, and use one of the best WordPress ecommerce plugins to build an online store without much effort.


Source link

Leave A Reply

Your email address will not be published.