Researchers have discovered a dangerous WordPress plugin that allows subscribers to wipe sites clean of content.
The flaw, found in the Hashthemes Demo Importer plugin, allows any authenticated user to damage a vulnerable WordPress site, deleting nearly all database content & uploaded media.
The high-severity security flaw is found in Hashthemes Demo Importer, a plugin that is used in more than 8,000 active installations.
According to security researchers at Wordfence, the vulnerability allows any authenticated user to completely ‘gut’ a vulnerable site, “permanently deleting nearly all database content as well as all uploaded media.”
Demos for WordPress
The Hash Themes Demo Importer plugin is designed to let admins easily import demos for WordPress themes with a single click, without having to deal with dependencies such as XML files, .json theme options,.dat customizer files or .wie widget files.
In a Tues. writeup, Wordfence’s Ram Gall said that the Wordfence Threat Intelligence team initiated the disclosure process for the bug on Aug. 25. For nearly a month, the developer failed to respond, so Wordfence contacted the WordPress plugins team on Sept. 20.
WordPress Pulls Plugin, Puts Out Fix Lickety-Split
On the same day, the WordPress crew temporarily removed the Hashthemes Demo Importer from the repository, and a patched version was made available a few days later, on Sept. 24, although the plugin’s changelog makes no mention of it.
Every Database Table
Wordfence’s Gall explained that the Hashthemes demo importer plugin had not performed capability checks for many of its Ajax actions. Ajax is a JavaScript-based technology that allows a web page to fetch added information & present itself without refreshing the page.
“While it did perform a nonce check, the AJAX nonce was visible in the admin dashboard for all users, including low-privileged users such as subscribers,” according to the Wordfence writeup.
“The most severe consequence of this was that a subscriber-level user could reset all of the content on a given site.
Reset Parameter
Specifically, any logged-in user could trigger the hdi_install_demo Ajax function and provide a reset parameter set to true, Gall wrote, resulting in the plugin running its database_reset function.
“This function wiped the database by truncating every database table on the site except for wp_options, wp_users, & wp_usermeta,” Gall continued.
“Once the database was wiped, the plugin would then run its clear uploads function, which deleted every file & folder in wp-content/uploads.”
Backups
Gall stated that the vulnerability should remind us of the importance of backups for a site’s security.
“While most vulnerabilities can have destructive effects, it would be impossible to recover a site where this vulnerability was exploited unless it had been backed up,” he wrote.
Given that the vulnerability can lead to complete site takeover, he asked that if you know of somebody using this plugin on their site, please do give them a heads-up.
Plugins Expand the Attack Surface
Rick Holland, CISO & VP of Strategy at digital risk protection vendor Digital Shadows, noted that the plugin vulnerability highlights the increased attack surface that 3d-party code ushers in, as do browser extensions.
That is up to software vendors to deal with: “Software companies are responsible for their code and the code that runs on top of their code,” Holland explained.
Jake Williams, co-founder & CTO at incident response firm Breach Quest, outlined that the incident highlights the complexity of vulnerability management.
“Not only do organisations need to know the content management systems they are running, but also the plugins that are running on those systems too,” he suggested Wed
“This is yet another example of supply chain security where the WordPress system was trustworthy, but the plugin (which the security team probably doesn’t even know was installed) left them vulnerable.”
Demolish Sites
Williams also noted that this kind of flaw attracts jerks, as opposed to financially motivated attackers.
“I don’t think the majority of threat actors are interested in wiping databases and content in WordPress sites,” he suggested on Wed. “It’s counter to the goals of most threat actors. That said, I do expect that some people will go and target these systems for fun, so it is a serious risk.”
Holland concurred: “Destructive threat actors, hacktivists, or actors deleting sites for the ‘lulz’ would be most interested in this sort of vulnerability,” he observed.
It would not be tough to take advantage of such a flaw, either, Holland added:
“Exploiting this vulnerability does require authentication, but given password use and account takeovers, that bar isn’t as high as it should be.”
Weave Security Into WordPress
Leo Pate, managing consultant at application security company nVisium, noted that WordPress is just like any software: Namely, it is made by fallible humans.
“Its developers and those that make WordPress components, such as plugins and templates, are bound to make mistakes,” he said on Wed. He revealed the following check-sheet on how to look holistically at a WordPress environment & how to incorporate security into all of its components: server, network & app layers.
Advice
His advice includes:
- Not running the WordPress server’s services as administrative users
- Ensure that all programs installed on the server, as well as the server itself, remains up to date with the latest patches
- The server only allows connections over TLSv1.2 or TLSv1.3, the ciphers used for those connections should provide perfect forward secrecy, and the domain should participate in certificate transparency
- Default user credentials should be changed on the WordPress instance as well as the database credentials (if not done during the initial setup)
- Any plugins or templates used within WordPress should be from reputable sources & be kept up to date.
Plugin Portal
Within the WordPress plugin portal, users can see information that includes:
- When the plugin was last updated
- Review or comments about the plugin from users
- How many times it has been installed There are still a suitable number of things users could do to protect their WordPress websites that are not listed here.
- Some really good resources for further information include the Centre for Internet Security Benchmark documentation (https://learn.cisecurity.org/benchmarks) & the WordPress security documentation (https://wordpress.org/support/category/security).
https://www.cybernewsgroup.co.uk/virtual-conference-november-2021/
