Site Deletion Vulnerability in Hashthemes Plugin
Update: a previous version of this article incorrectly indicated that this vulnerability could be used for site takeover, we have updated this for accuracy, as the impact is instead complete loss of site content.
Note: To receive disclosures like this in your inbox the moment they’re published, you can subscribe to our WordPress Security Mailing List.
On August 25, 2021, the Wordfence Threat Intelligence team initiated the disclosure process for a vulnerability in Hashthemes Demo Importer, a WordPress plugin with over 7,000 installations.
This vulnerability allowed any authenticated user to completely reset a site, permanently deleting nearly all database content as well as all uploaded media.
As we did not receive a response from the developer for nearly a month, we contacted the WordPress plugins team with our disclosure on September 20, 2021. The plugin was temporarily removed from the repository the same day, and a patched version, 1.1.2, was made available on September 24, 2021, though it was not mentioned in the developer changelog.
Wordfence Premium customers received a firewall rule protecting against this vulnerability on August 25, 2021. Sites running the free version of Wordfence received the same rule 30 days later, on September 24, 2021.
Affected Plugin: Hashthemes Demo Importer
Plugin Slug: hashthemes-demo-importer
Plugin Vendor: Hashthemes
Affected Versions: <= 1.1.1
CVE ID: CVE-2021-39333
CVSS Score: 8.1(High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Researcher/s: Ramuel Gall
The Hashthemes demo importer plugin failed to perform capability checks for many of its AJAX actions. While it did perform a nonce check, the AJAX nonce was visible in the admin dashboard for all users, including low-privileged users such as subscribers. The most severe consequence of this was that a subscriber-level user could reset all of the content on a given site.
Any logged-in user could trigger the
hdi_install_demo AJAX function and provide a
reset parameter set to
true, resulting in the plugin running it’s
database_reset function. This function wiped the database by truncating every database table on the site except for
wp_usermeta. Once the database was wiped, the plugin would then run its clear_uploads function, which deleted every file and folder in
August 25, 2021 – Wordfence Threat Intelligence finishes our investigation and attempts to initiate disclosure for a vulnerability in HashThemes Demo Importer. We release a firewall rule to Wordfence Premium customers.
September 20, 2021 – We contact the WordPress plugins team as we have not received a response from the plugin developer. The plugin is temporarily removed from the WordPress.org repository.
September 24, 2021 – A patched version of the plugin, 1.1.2, becomes available. The firewall rule becomes available to free Wordfence users.
In today’s post, we discussed a vulnerability in HashThemes Demo Importer that allowed any logged-in user to completely and permanently destroy all of the content on a website.
We’ve discussed the importance of backups in the past, and this vulnerability serves as an important reminder of how critical backups are to your site’s security. While most vulnerabilities can have destructive effects, it would be impossible to recover a site where this vulnerability was exploited unless it had been backed up.
Wordfence Premium users have been protected against this vulnerability since August 25, 2021, while those still running the free version of Wordfence have been protected since September 24, 2021. If you are running a vulnerable version of this plugin, we urge you to update to the latest version available, 1.1.4, as soon as possible.
If you know a friend or colleague who is using this plugin on their site, please forward this advisory to them to help keep their sites protected as this vulnerability can lead to complete loss of site content.