WordPress Plugin Bug Enables Subscribers To Wipe Sites

Share post:

A serious vulnerability in the Hashthemes Demo Importer, a WordPress plugin with more than 8,000 active installations, may allow authenticated attackers to reset and erase target websites.

The Hashthemes Demo Importer plugin is installed to help admins import demos for WordPress themes with a single and no further dependencies.

The security bug enables authenticated attackers to reset WordPress pages and delete almost all database contents and uploaded media.

Ram Gall, Wordfence QA engineer and threat analyst, explained that the plugin could not be properly verified once, causing the AJAX nonce on the admin dashboard of vulnerable websites to leak to all users, “including low privileged users such as subscribers.”

As a result, logged-in subscriber users could exploit the vulnerability to delete all content on websites with unpatched versions of Hashthemes Demo Importer.

While Wordfence reported the bug to the plugin’s development team in August, the developers did not address the vulnerability for the next month.

This prompted Wordfence to contact the WordPress plugins team on September 20, which resulted in the plugin being removed on the same day and a patch being released four days later to fix the bug.

Nevertheless, the developer of the Hashthemes Demo Importer did not announce version 1.1. 2 release or the update on the plugin’s changelog page despite releasing a security update.

For more information, read the original story in BleepingComputer.

Featured Tech Jobs


Related articles

All Okta customer support users had their email addresses copied

Identity and access provider Okta now says the threat actor who accessed its customer help desk system last month got the names and email addresses of all contacts of organizations that use its support system. Originally, the company said that, after an investigation, it determined only one per cent of the contacts from its 18,000

Failure of technology to detect attacks is a prime cause of breaches: Survey

Despite the money being poured into cybersecurity by IT departments, the leading cause of breaches of security controls was the failure of technology to detect an attack, a new survey from Trellix suggests. Forty-two per cent of respondents to the international survey of infosec leaders whose organization had suffered a recent cyber attack said their

Canadian group gets $2.2 million to research AI threat detection for wireless networks

Ericsson Canada and three universities have been awarded funds by the National Cybersecurity

Cyber Security Today, Nov. 29, 2023 – More ransomware attacks on the healthcare sector

This episode reports on a company hit twice by a ransomware gang, the arrest in Ukraine of the alleged head of a ransomware gang

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways