WordPress admins have to deal with another vulnerable WordPress plugin that poses a highly severe threat to their websites. Specifically, researchers found a site deletion bug in HashThemes Demo Importer plugin that would allow resetting or deleting websites.
HashThemes Demo Importer Plugin Bug
Team Wordfence has found a high-severity vulnerability in the HashThemes Demo Importer plugin. It is a dedicated plugin for WordPress websites to import full theme demos with one click. The plugin currently boasts over 8000 active installations.
As per the details shared in the post, the plugin had poor capability checks for several AJAX functions. This allowed underprivileged authenticated users of the site to visualize the AJAX nonce in the dashboard. Consequently, an authenticated adversary, even at the subscriber level, could reset the site. In the worst-case exploitation, an adversary could even delete the site content.
Describing the flaw, Wordfence stated,
Any logged-in user could trigger the
hdi_install_demoAJAX function and provide aresetparameter set totrue, resulting in the plugin running itsdatabase_resetfunction. This function wiped the database by truncating every database table on the site except forwp_options,wp_users, andwp_usermeta. Once the database was wiped, the plugin would then run its clear_uploads function, which deleted every file and folder inwp-content/uploads.
This vulnerability, CVE-2021-39333, has attained a high-severity rating with a CVSS score of 8.1.
Patch Deployed (But Not Disclosed)
The researchers discovered this bug in august 2021, after which they attempted to contact the plugin developers. However, they didn’t hear back for about a month. Hence, they followed up with the developers again in September 2021. Still, they received no response.
Nonetheless, Wordfence found that the developers had silently patched the vulnerability with plugin version 1.1.2. But, oddly, they didn’t state about this release in the changelog on the plugin’s page. Instead, it lists version 1.1.3 following version 1.1.1 (skipping 1.1.2).
Anyhow, what matters for the users is that the bug has received a fix. Also, the developers have patched other issues as well, consequently having the plugin version 1.1.4 as the latest release. Therefore, all users must ensure updating their websites with the latest HashThemes Demo Importer 1.1.4 to receive all bug fixes.