Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

WordPress Plugin Bug Allows Subscribers to Wipe Sites!

WordPress Plugin Bug Allows Subscribers to Wipe Sites!

Researchers have discovered a dangerous WordPress plugin that allows subscribers to wipe sites clean of content.

The flaw, found in the Hashthemes Demo Importer plugin, allows any authenticated user to damage a vulnerable WordPress site, deleting nearly all database content & uploaded media.

The high-severity security flaw is found in Hashthemes Demo Importer, a plugin that is used in more than 8,000 active installations.

According to security researchers at Wordfence, the vulnerability allows any authenticated user to completely ‘gut’ a vulnerable site, “permanently deleting nearly all database content as well as all uploaded media.”

Demos for WordPress

The Hash Themes Demo Importer plugin is designed to let admins easily import demos for WordPress themes with a single click, without having to deal with dependencies such as XML files, .json theme options,.dat customizer files or .wie widget files.

In a Tues. writeup, Wordfence’s Ram Gall said that the Wordfence Threat Intelligence team initiated the disclosure process for the bug on Aug. 25. For nearly a month, the developer failed to respond, so Wordfence contacted the WordPress plugins team on Sept. 20.

WordPress Pulls Plugin, Puts Out Fix Lickety-Split

On the same day, the WordPress crew temporarily removed the Hashthemes Demo Importer from the repository, and a patched version was made available a few days later, on Sept. 24, although the plugin’s changelog makes no mention of it.

Every Database Table

Wordfence’s Gall explained that the Hashthemes demo importer plugin had not performed capability checks for many of its Ajax actions. Ajax is a JavaScript-based technology that allows a web page to fetch added information & present itself without refreshing the page.

“While it did perform a nonce check, the AJAX nonce was visible in the admin dashboard for all users, including low-privileged users such as subscribers,” according to the Wordfence writeup.

“The most severe consequence of this was that a subscriber-level user could reset all of the content on a given site.

Reset Parameter

Specifically, any logged-in user could trigger the hdi_install_demo Ajax function and provide a reset parameter set to true, Gall wrote, resulting in the plugin running its database_reset function.

“This function wiped the database by truncating every database table on the site except for wp_options, wp_users, & wp_usermeta,” Gall continued.

“Once the database was wiped, the plugin would then run its clear uploads function, which deleted every file & folder in wp-content/uploads.”

Backups

Gall stated that the vulnerability should remind us of the importance of backups for a site’s security.

“While most vulnerabilities can have destructive effects, it would be impossible to recover a site where this vulnerability was exploited unless it had been backed up,” he wrote.

Given that the vulnerability can lead to complete site takeover, he asked that if you know of somebody using this plugin on their site, please do give them a heads-up.

Plugins Expand the Attack Surface

Rick Holland, CISO & VP of Strategy at digital risk protection vendor Digital Shadows, noted that the plugin vulnerability highlights the increased attack surface that 3d-party code ushers in, as do browser extensions.

That is up to software vendors to deal with: “Software companies are responsible for their code and the code that runs on top of their code,” Holland explained.

Jake Williams, co-founder & CTO at incident response firm Breach Quest, outlined that the incident highlights the complexity of vulnerability management.

“Not only do organisations need to know the content management systems they are running, but also the plugins that are running on those systems too,” he suggested Wed

“This is yet another example of supply chain security where the WordPress system was trustworthy, but the plugin (which the security team probably doesn’t even know was installed) left them vulnerable.”

Demolish Sites

Williams also noted that this kind of flaw attracts jerks, as opposed to financially motivated attackers.

“I don’t think the majority of threat actors are interested in wiping databases and content in WordPress sites,” he suggested on Wed. “It’s counter to the goals of most threat actors. That said, I do expect that some people will go and target these systems for fun, so it is a serious risk.”

Holland concurred: “Destructive threat actors, hacktivists, or actors deleting sites for the ‘lulz’ would be most interested in this sort of vulnerability,” he observed.

It would not be tough to take advantage of such a flaw, either, Holland added:

“Exploiting this vulnerability does require authentication, but given password use and account takeovers, that bar isn’t as high as it should be.”

Weave Security Into WordPress

Leo Pate, managing consultant at application security company nVisium, noted that WordPress is just like any software: Namely, it is made by fallible humans.

“Its developers and those that make WordPress components, such as plugins and templates, are bound to make mistakes,” he said on Wed. He revealed the following check-sheet on how to look holistically at a WordPress environment & how to incorporate security into all of its components: server, network & app layers.

Advice

His advice includes:

  • Not running the WordPress server’s services as administrative users
  • Ensure that all programs installed on the server, as well as the server itself, remains up to date with the latest patches
  • The server only allows connections over TLSv1.2 or TLSv1.3, the ciphers used for those connections should provide perfect forward secrecy, and the domain should participate in certificate transparency
  • Default user credentials should be changed on the WordPress instance as well as the database credentials (if not done during the initial setup)
  • Any plugins or templates used within WordPress should be from reputable sources & be kept up to date.

Plugin Portal

Within the WordPress plugin portal, users can see information that includes:

  • When the plugin was last updated
  • Review or comments about the plugin from users
  • How many times it has been installed There are still a suitable number of things users could do to protect their WordPress websites that are not listed here.
  • Some really good resources for further information include the Centre for Internet Security Benchmark documentation (https://learn.cisecurity.org/benchmarks) & the WordPress security documentation (https://wordpress.org/support/category/security).

https://www.cybernewsgroup.co.uk/virtual-conference-november-2021/

 

SHARE ARTICLE