HomesecurityError in WordPress plugin allows subscribers to delete sites

Error in WordPress plugin allows subscribers to delete sites

A critical error detected in WordPress plugin with more than 8.000 facilities, can allow authenticated attackers to restore and delete vulnerable websites. The WordPress plugin, in which the error, it's the Hashthemes Demo Importer.

See also: Hacker sold data on millions of drivers for $ 800

WordPress plugin error

This is a plugin designed to help administrators import demos for WordPress themes without having to deal with installing dependencies.

The error could allow the attackers to do reset to WordPress sites but also delete almost all the contents of the database and the uploaded media.

The Wordfence engineer and threat analyst Ram Gall explained that the WordPress plugin failed to execute the nonce checks correctly, resulting in leak AJAX nonce to all users in the dashboard of vulnerable sites. Even low-privileged users and subscribers could access it.

See also: Google: Hackers target YouTubers with cookie theft malware

As a result, online subscriber-level users could take advantage of the error to delete all site content, running uninstalled versions of the Hashthemes Demo Importer WordPress plugin.

Hashthemes Demo Importer error

The subscriber, one of the types of users who could delete vulnerable sites, is a default WordPress user role (such as Contributor, Author, Editor and Administrator) that often exists in WordPress sites, so that registered users can write comments in the section site comments.

Normally, the Subscribers can only edit their profile using the site dashboard and do not have access to other administrator pages.

The developers of Hashthemes Demo Importer had been informed of the vulnerability since August 25, 2021, however, they had not responded to Wordfence for at least a month.

See also: How a coding error turns AirTags into malware distributors

This prompted researchers to contact the WordPress team plugins on September 20, something that led to remove the plugin the same day and release a patch that encounters the error, four days later (September 24).

However, the developer of Hashthemes Demo Importer did not mention version 1.1.2 or the update on the plugin change log, despite the release of a security update.

Source: Bleeping Computer

Digital fortress
Pursue Your Dreams & Live!