Note: To receive disclosures like this in your inbox the moment they’re published, you can subscribe to our WordPress Security Mailing List.
On August 25, 2021, the Wordfence Threat Intelligence team initiated the disclosure process for a vulnerability in Hashthemes Demo Importer, a WordPress plugin with over 7,000 installations.
This vulnerability allowed any authenticated user to completely reset a site, permanently deleting nearly all database content as well as all uploaded media.
As we did not receive a response from the developer for nearly a month, we contacted the WordPress plugins team with our disclosure on September 20, 2021. The plugin was temporarily removed from the repository the same day, and a patched version, 1.1.2, was made available on September 24, 2021, though it was not mentioned in the developer changelog.
Wordfence Premium customers received a firewall rule protecting against this vulnerability on August 25, 2021. Sites running the free version of Wordfence received the same rule 30 days later, on September 24, 2021.
Description: Improper Access Control allowing content deletion
Affected Plugin: Hashthemes Demo Importer
Plugin Slug: hashthemes-demo-importer
Plugin Vendor: Hashthemes
Affected Versions: <= 1.1.1
CVE ID: CVE-2021-39333
CVSS Score: 8.1(High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Researcher/s: Ramuel Gall