Security News > 2021 > October > Brutal WordPress plugin bug allows subscribers to wipe sites
A high severity security flaw found in a WordPress plugin with more than 8,000 active installs can let authenticated attackers reset and wipe vulnerable websites.
The plugin in question, known as Hashthemes Demo Importer, is designed to help admins import demos for WordPress themes with a single, without dealing with installing any dependencies.
The security bug would allow authenticated attackers to reset WordPress sites and delete almost all database content and uploaded media.
As a direct consequence of this bug, logged-in subscriber-level users could abuse it to wipe all the content on sites running unpatched versions of Hashthemes Demo Importer.
Subscriber, one of the types of users who could wipe vulnerable sites, is a default WordPress user role often enabled on WordPress sites to allow registered users to write comments on the website's comment section.
This prompted Wordfence to reach out to the WordPress plugins team on September 20, which led to the plugin's removal the same day and the release of a patch addressing the bug four days later, on September 24.