The flaw, found in the Hashthemes Demo Importer plugin, allows any authenticated user to exsanguinate a vulnerable WordPress site, deleting nearly all database content and uploaded media.
Researchers have discovered a homicidal WordPress plugin that allows subscribers to wipe sites clean of content.
The high-severity security flaw is found in Hashthemes Demo Importer, a plugin that’s used in more than 8,000 active installations.
According to security researchers at Wordfence, the vulnerability allows any authenticated user to completely exsanguinate a vulnerable site, “permanently deleting nearly all database content as well as all uploaded media.”
The HashThemes Demo Importer plugin is designed to let admins easily import demos for WordPress themes with a single click, without having to deal with dependencies such as XML files, .json theme options,.dat customizer files or .wie widget files.
In a Tuesday writeup, Wordfence’s Ram Gall said that the Wordfence Threat Intelligence team initiated the disclosure process for the bug on Aug. 25. For nearly a month, the developer failed to respond, so Wordfence got in touch with the WordPress plugins team on Sept. 20.
WordPress Yanks Plugin, Puts Out Fix Lickety-Split
On the same day, the WordPress crew temporarily removed the Hashthemes