Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Critical Flaw in WordPress Plugin Leads to Database Wipe

A major security vulnerability in the WP Reset PRO WordPress plugin could be exploited by an authenticated user to wipe the entire database of a website, according to a warning from researchers at Packstack (formerly WebARX).

A major security vulnerability in the WP Reset PRO WordPress plugin could be exploited by an authenticated user to wipe the entire database of a website, according to a warning from researchers at Packstack (formerly WebARX).

The issue can be exploited by any authenticated user, regardless of their authorization, to wipe all tables in a WordPress installation’s database.

This would trigger the restart of the WordPress installation process. An attacker could abuse this to create an administrator account onto the WordPress website (an admin account must be created to complete the installation process), according to a Patchstack advisory.

An attacker could further exploit the newly created account to upload malicious plugins to the website, or even install trojan backdoors.

[ READ: WordPress 5.8.1 Patches Several Vulnerabilities ]

WP Reset PRO aims to help site administrators to easily reset a website’s database to the default installation while leaving files intact, to restore damaged sites, and remove customizations or parts of the site.

WP Reset PRO registers a few actions in the admin_action_* scope, including table deletion operation, but no check is performed to learn whether the user is indeed authorized to perform such an action, and because a nonce token to prevent CSRF attacks isn’t validated or checked.

Because of this vulnerability, “someone could simply visit the homepage of the site to start the WordPress installation process,” Patchstack warned.

WebFactory Ltd, which develops both the WP Reset and its PRO version, addressed the issue in version 5.99 of the plugin, by adding an authentication and authorization check, along with a check for a valid nonce token.

“It’s quite a destructive vulnerability, quite a problem for e-commerce and other sites that have open registration,” Patchstack CEO Oliver Sild told SecurityWeek.

Related: WordPress 5.8.1 Patches Several Vulnerabilities

Related: Over 580 WordPress Vulnerabilities Disclosed in 2020: Report

Related: Hacker Exploiting Vulnerabilities in Thrive Theme WordPress Plugins

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Nation-State

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.