Security News > 2021 > November > Ironic twist: WP Reset PRO bug lets hackers wipe WordPress sites
A high severity security flaw in the WP Reset PRO WordPress plugin can let authenticated attackers wipe vulnerable websites, as revealed by Patchstack security researchers.
Subscriber is a default WordPress user role, often enabled to allow registered users to write comments on WordPress sites' comment section.
Patchstack CEO Oliver Sild told BleepingComputer that the bug is "Quite critical especially to e-commerce and other sites that have any registration open."
While, at first sight, this bug seems to be useful only for destructive purposes, Sild told BleepingComputer that it could also be exploited to gain access to other sites on the same server.
"If there is an old site forgotten to a subdirectory that has that plugin installed and the server environment is connected, then this would allow getting access to other sites in the same environment," Sild said.
The development team fixed the bug with the release of WP Reset PRO 5.99 on September 28, within 24 hours of Patchstack disclosure, by adding an authentication and authorization check.