WordPress Plugin Bug Lets Subscribers Wipe Sites

2021-10-27 21:39

The flaw, found in the Hashthemes Demo Importer plugin, allows any authenticated user to exsanguinate a vulnerable WordPress site, deleting nearly all database content and uploaded media.

Researchers have discovered a homicidal WordPress plugin that allows subscribers to wipe sites clean of content.

The HashThemes Demo Importer plugin is designed to let admins easily import demos for WordPress themes with a single click, without having to deal with dependencies such as XML files,.

For nearly a month, the developer failed to respond, so Wordfence got in touch with the WordPress plugins team on Sept. 20.

On the same day, the WordPress crew temporarily removed the Hashthemes Demo Importer from the repository, and a patched version was made available a few days later, on Sept. 24, although the plugin's changelog makes no mention of it.

"This is yet another example of supply chain security where the WordPress system was trustworthy, but the plugin left them vulnerable."

News URL

https://threatpost.com/wordpress-plugin-bug-wipe-sites/175826/

#wordpress

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Wordpress		7	2	93	44	18	157
Plugin		2	0	13	1	0	14