CyberNews Briefs

WordPress Plugin Bug Lets Subscribers Wipe Sites

A new flaw has been discovered in a popular WordPress plugin called Hashthemes Demo Importer. The vulnerability allows any authenticated user to wipe a vulnerable WordPress site completely clean, deleting all content and uploaded media. The plugin boasts more than 8,000 active installations. According to security researchers at Wordfence, the high-severity security flaws allow any authenticated user to access the site and delete content. The plugin is designed to allow admins to import demos for WordPress themes with a single click and without having to download files.

Wordfence stated that it had initiated the disclosure process for the bug on August 25. However, when the developer failed to respond, Wordfence reached out to the WordPress plugin team. Later that day, the Hashthemes Demo Importer was removed from the repository. Wordfence stated that the Hashthemes demo importer plugin had filled to perform capability checks for many of its actions, resulting in the flaws.

Read More: WordPress Plugin Bug Lets Subscribers Wipe Sites

OODA Analyst

OODA Analyst

OODA is comprised of a unique team of international experts capable of providing advanced intelligence and analysis, strategy and planning support, risk and threat management, training, decision support, crisis response, and security services to global corporations and governments.