Researchers have helped patch a high-severity-rated security flaw in a popular WordPress plugin, which could be exploited to completely wipe and reset any vulnerable WordPress website.
Discovered by WordPress security experts Wordfence, the vulnerability exists in the Hashthemes Demo Importer plugins that boast of more than 7,000 active installs, according to Wordffence researchers, and is designed to help administrators import demos for WordPress themes with a single click.
According to Wordfence's QA engineer and threat analyst Ram Gall, the flaw gave any authenticated attacker the ability to permanently delete nearly all database content as we all uploaded media.
While most vulnerabilities can have devastating effects, researchers say, it would be impossible to recover a site where this vulnerability was exploited unless it had been backed up.
If users are running a vulnerable version of this plugin, researchers urge them to update to the latest version available, 1.1.4, as soon as possible.
Rick Holland, Chief Information Security Officer, Vice President Strategy at Digital Shadows, a San Francisco-based provider of digital risk protection solutions, says, "WordPress seems to make the vulnerability headlines perennially; however, in this case, it is through a plugin. This plugin vulnerability highlights the increased attack surface from third-party code in the same way that browser extensions do. Software companies are responsible for their code and the code that runs on top of their code. Destructive threat actors, hacktivists, or actors deleting sites for the "lulz" would be most interested in this sort of vulnerability. Exploiting this vulnerability does require authentication, but given password use and account takeovers, that bar isn't as high as it should be."
"I don't think the majority of threat actors are interested in wiping databases and content in WordPress sites. It's counter to the goals of most threat actors," explains Jake Williams, Co-Founder and CTO at BreachQuest, an Augusta, Georgia-based leader in incident response. "That said, I do expect that some people will go and target these systems for fun, so it is a serious risk. This incident highlights the complexity of vulnerability management. Not only do organizations need to know the content management systems they are running, but also the plugins that are running on those systems too. This is yet another example of supply chain security where the WordPress system was trustworthy, but the plugin (which the security team probably doesn't even know was installed) left them vulnerable."