The vulnerability existed in the WP Reset PRO WordPress plugin which is used by more than 400,000 websites.
The IT security researchers at Patchstack (previously known as WebARX) have discovered a high severity security vulnerability in the WP Reset PRO WordPress plugin that allows ‘authenticated’ users to wipe data from vulnerable websites.
According to their advisory, the vulnerability can be exploited by an attacker to wipe the entire website’s database by simply visiting the site’s homepage to initiate the WordPress installation process. Patschstack CEO Oliver Sild called it a “destructive vulnerability” that can mainly cause problems for e-commerce websites that offer open registration.
About the vulnerability
It is worth noting that any authenticated user can exploit this vulnerability whether they are authorized or not and wipe all tables stored in a WordPress installation database to restart the WordPress installation process. The exploitation requires the attacker to pass a query parameter such as “%%wp” to delete all the tables with the prefix wp.
A threat actor can abuse this flaw to create an administrator account onto the website, which is necessary to complete the installation process. Moreover, the attacker can