WordPress Plugin Bug Lets Subscribers Wipe Sites
A new flaw has been discovered in a popular WordPress plugin called Hashthemes Demo Importer. The vulnerability allows any authenticated user to wipe a vulnerable WordPress site completely clean, deleting all content and uploaded media. The plugin boasts more than 8,000 active installations. According to security researchers at Wordfence, the high-severity security flaws allow any authenticated user to access the site and delete content. The plugin is designed to allow admins to import demos for WordPress themes with a single click and without having to download files.
Wordfence stated that it had initiated the disclosure process for the bug on August 25. However, when the developer failed to respond, Wordfence reached out to the WordPress plugin team. Later that day, the Hashthemes Demo Importer was removed from the repository. Wordfence stated that the Hashthemes demo importer plugin had filled to perform capability checks for many of its actions, resulting in the flaws.