HashThemes Demo Importer Plugin Bug Could Allow Wiping WordPress Sites

WordPress admins have to deal with another vulnerable WordPress plugin that poses a highly severe threat to their websites. Specifically, researchers found a site deletion bug in HashThemes Demo Importer plugin that would allow resetting or deleting websites.

HashThemes Demo Importer Plugin Bug

Team Wordfence has found a high-severity vulnerability in the HashThemes Demo Importer plugin. It is a dedicated plugin for WordPress websites to import full theme demos with one click. The plugin currently boasts over 8000 active installations.

As per the details shared in the post, the plugin had poor capability checks for several AJAX functions. This allowed underprivileged authenticated users of the site to visualize the AJAX nonce in the dashboard. Consequently, an authenticated adversary, even at the subscriber level, could reset the site. In the worst-case exploitation, an adversary could even delete the site content.

Describing the flaw, Wordfence stated,

Any logged-in user could trigger the hdi_install_demo AJAX function and provide a reset parameter set to true, resulting in the plugin running its database_reset function. This function wiped the database by truncating every database table on the site except for wp_options, wp_users, and wp_usermeta. Once the database was wiped, the plugin would then run its clear_uploads function, which deleted every file and folder in wp-content/uploads.

This vulnerability, CVE-2021-39333, has attained a high-severity rating with a CVSS score of 8.1.

Patch Deployed (But Not Disclosed)

The researchers discovered this bug in august 2021, after which they attempted to contact the plugin developers. However, they didn’t hear back for about a month. Hence, they followed up with the developers again in September 2021. Still, they received no response.

Nonetheless, Wordfence found that the developers had silently patched the vulnerability with plugin version 1.1.2. But, oddly, they didn’t state about this release in the changelog on the plugin’s page. Instead, it lists version 1.1.3 following version 1.1.1 (skipping 1.1.2).

Anyhow, what matters for the users is that the bug has received a fix. Also, the developers have patched other issues as well, consequently having the plugin version 1.1.4 as the latest release. Therefore, all users must ensure updating their websites with the latest HashThemes Demo Importer 1.1.4 to receive all bug fixes.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients