WordPress Plugin Bug Lets Subscribers Wipe Sites

A high-severity security flaw found in a WordPress plugin that has 8,000+ active installs can allow authenticated attackers to reset and wipe vulnerable websites.

This plugin, Hashthemes Demo Importer, was developed to assist admins when importing demos for WordPress themes to import the full demo with one click.

According to Wordfence’s QA engineer and threat analyst Ram Gall, “The flaw gives any authenticated attacker, even the subscriber-level user with minimal permissions, the ability to reset WordPress sites by zapping virtually all its databases and uploaded media.” He goes on to say that “if exploited, the flaw would render a website running the vulnerable plugin completely unrecoverable, unless of course its owners had properly backed it up.”

Note that a corrected version (version 1.0.7) has been uploaded by the plugin’s developer.

While this vulnerability is specific to WordPress users, it’s a prime example that plugins expand the attack surface. OneNeck CISO Katie McCullough states, “Best practice is to use the fewest number of plugins needed to complete work, and uninstall any plugins not being used. And specific to this vulnerability, ensure WordPress and plugins are updated to the latest versions and have the most recent patches applied.”

An effective security defense really starts with the basics. As Katie states, “Some companies think they can deploy patches on a quarterly basis or put them off indefinitely because they want to avoid downtime, but we’ve seen how costly such decisions can be.”

So, moral of the story, be diligent in your updates and patching. Good cyber hygiene can be what keeps your organization safe from bad actors.

Interested in talking to one of our security experts? Contact us today.

Get In Touch

Call Us

For general inquiries, call: 855.ONENECK

Immediate Assistance

Managed services support: 800.272.3077
Non-managed service support: 515.334.5755
Or visit our service desk:
Service Desk Portal

Chat With Us

Hours available: 24/7
Start a Chat

OneNeck Headquarters

525 Junction Road
Madison, WI 53717
View All Locations

Talk to Our Team