Hashthemes Demo Importer is a WordPress plugin that allows users to import full demos with just one click. The plug-in can be used to download any full demos, it was initially developed to add a demo importer functionality to HashThemes. Security researchers discovered a high severity security flaw found in the popular plugin, which has 8000 active installs. The vulnerability allows authenticated attackers to reset and wipe vulnerable websites.
Security flaw of the plugin
Wordfence QA engineer and threat analyst Ram Gall explained that the vulnerability came from the leaked AJAX nonce admin dashboard for the use of all users as a result of the plugin failing to properly perform nonce checks. This allows any non-authorized users who were running any of the unpatched versions of Hashthemes Demo Importer to be able to reset or wipe entire databases of the vulnerable websites.
Ram Gall talked about the effects and causes of vulnerability,
“While most vulnerabilities can have destructive effects, it would be impossible to recover a site where this vulnerability was exploited unless it had been backed up. Any logged-in user could trigger the hdi_install_demo AJAX function and provide a reset parameter set to true, resulting in the plugin running its database_reset function.
This function wiped the database by truncating every database table on the site except for wp_options, wp_users, and wp_usermeta. Once the database was wiped, the plugin would then run its clear_uploads function, which deleted every file and folder in wp-content/uploads.”