WordPress Plugin Vulnerability Can Wipe Any Site Clean

A new WordPress plugin vulnerability was identified in Hashthemes Demo Importer. Said plugin is a popular choice among web developers. The vulnerability enables any authorized user to entirely wipe a susceptible WordPress site clean, erasing all of the material and data posted to it. Researchers have uncovered a potentially harmful WordPress plugin that enables subscribers to altogether remove any content from websites. It can practically eradicate all database information and uploaded media, among other things.

 

To make sure you don’t experience any of this in the future, contact LIFARS. LIFARS-as-Service can validate your compliance and controls to help you maintain your compliance. We evaluate your current approach and create a strong security foundation.

 

According to WordPress security specialists Wordfence, the vulnerability enables any authorized user to entirely ‘gut’ a susceptible site, permanently erasing practically all database information as well as any uploaded media.

The Hash Themes Demo Importer plugin is designed to allow admins to quickly and easily import demos for WordPress themes. They can do this with a single click without dealing with dependencies such as XML files, .json theme options, .dat customizer files, or .wie widget files. Likewise, the plugin is available for free on the WordPress plugin repository and has more than 8,000 active installs.

What Went Wrong

Unfortunately, the plugin’s capability checks for several AJAX operations were inadequate. That enabled underprivileged authenticated users of the site to see the AJAX nonce on the dashboard, which was previously unavailable. As a result, any authenticated opponent may reset the site, even if they were just at the subscriber level. In the worst-case scenario, a cybercriminal may even altogether remove the site’s content from the internet.

Our mission is to mitigate the attack surface and minimize the compromise’s extent and the resulting impact of the cyber-attack. Our digital forensics methodology leverages our in-depth expertise from numerous highly complex digital forensics investigations, combined with IoCs and TTPs from our proprietary knowledge base.

Due to the flaws in the Hashthemes demo importer plugin, several of its AJAX activities are vulnerable since they did not correctly execute the capability checks. The AJAX nonce was displayed in the admin dashboard for all users, including low-privileged users such as subscribers, even though it did complete a nonce verification. Most seriously affected by this was that a subscriber-level user may completely wipe out all of the material on a specific site.

The WordPress plugin vulnerability issue allows any authorized attacker, even a subscriber-level user with direct access, to wipe out any WP sites completely, all of their databases, and uploaded material. This weakness, if exploited, would leave a website that was using the vulnerable plugin utterly unrecoverable unless the website’s proprietors had taken sufficient precautions to back it up.

Threat In the WordPress Landscape

WordPress seems to be in the news regularly for security vulnerabilities. The same way browser extensions draw attention to the larger attack surface of third-party code; this WordPress plugin vulnerability does the same thing. In the case of software firms, they are accountable for both their code and the code that runs on top of it. Destructive threat actors, hackers, and malicious actors who delete websites for the sake of their gain are the kind of actors who would be most interested in this type of vulnerability. While authentication is required to exploit this issue, considering the widespread usage of passwords and account takeovers, that bar isn’t raised to the level it should be.

Ways To Strengthen Your WordPress Site from Any Possible Vulnerability

Update Plugins

Plugins provide a plethora of functionality to WordPress sites, but they might also serve as a backdoor for malicious code if you’re not cautious. Tens of thousands of plugins and themes have been created by third-party developers and corporations throughout the globe, but not all of them are equally safe or trustworthy.

It is critical to find actively maintained plugins with owners that issue updates and give support consistently. In the same way, that core WordPress updates assist in resolving known WordPress security vulnerabilities, plugins, and theme upgrades, help close loopholes that hackers may exploit, and make sure that your site is as safe as possible. As a result, an outdated plugin that no longer gets active maintenance might serve as a backdoor for cybercriminals.

Use Official Released Plugins

It might be tempting to utilize a commercial plugin or WordPress theme that isn’t available via the WordPress plugin repository, but doing so is often a bad idea in the long run. These expensive plugins and themes are not updated regularly, and in other cases, they are not updated at all. So unless you stay on top of the updates, there is an excellent chance that your plugin will go un-updated for an extended period.

Using plugins and themes from the official WordPress plugin repository, which are produced by well-known organizations and are regularly updated, is highly recommended. That will go a long way toward avoiding any security concerns since these plugins and themes have been rigorously tested. That will ensure that they do not include any harmful code and comply with security rules and best practices.

Strengthen Passwords

Given that passwords are intended to safeguard the entry points to websites and web hosting platforms within your control, hackers often target them as their first target. One of the most prevalent techniques is a Brute Force attack. This is where hackers attempt hundreds of different passwords in the hopes of hitting on the one you used to get into your account. Therefore, creating a lengthy and challenging password for your website is quite crucial to ensure its security. The more difficult it is for an attacker to guess your password, the less likely it is that this kind of attack would be successful.

Web managers and developers are often surprised by the number of times they forget to change the default password on their website — and by website, we don’t just mean the WordPress site itself, but also any associated FTP accounts, databases, or WordPress managed hosting as well as the email address you use to recover your site and anything else that is tied to it as well. If you’re utilizing managed WordPress hosting, make sure that you create a new and unique password for each of your accounts on the platform. The chance of someone guessing your password or hacking it from another site increases if you use a password you’ve used previously or are currently using somewhere else.

A more significant number of websites use passwords such as “password” or “12345678,” as well as easy-to-guess alternatives such as birth dates, ID numbers, and phone numbers, which are always among the first possibilities that bots or hackers test.

Many website owners do not like to use lengthy and intricate passwords simply because they are difficult to remember in the long run. To make it simpler to recall, it is recommended that you use a complete statement that makes only sense to you (and even misspell a word on purpose). These types of passwords are far more secure than single-phrase passwords.

Enable 2FA

Anyone attempting to log in using “regular” single-factor authentication has to submit their username and password, after which they will be granted access. It essentially reduces the number of “gates” through which hackers must pass to access a website, making it one of the most critical WordPress security issues.

By enabling two-factor authentication, you can make it much more difficult for them to steal your information (TFA). With two-factor authentication, everyone is required to input a one-time code that is delivered to their mobile phone or email address.

Final Thoughts

Beginning with the fundamentals is essential for successful cybersecurity protection. Do not neglect to do updates and patches regularly. Good cyber hygiene may be the distinction between your company and being targeted by malicious actors.

 

References

https://www.wordfence.com/blog/2021/10/site-deletion-vulnerability-in-hashthemes-plugin/

https://www.oodaloop.com/briefs/2021/10/28/wordpress-plugin-bug-lets-subscribers-wipe-sites/

https://itsecuritywire.com/quick-bytes/wordpress-plugin-bug-lets-subscribers-wipe-sites/

https://www.techradar.com/news/this-vicious-wordpress-plugin-bug-could-wipe-your-whole-site