Another week, another WordPress plugin crash; this time allowed an attacker to take posts and even an entire website down, from a breach in a user checking system. The opening was in the Hashthemes Demo Importer extension, which, according to official figures, would be installed in more than eight thousand vehicles that use the publications management system.
- WordPress extension failure may have put 90,000 sites at risk
- WordPress becomes a nest of sophisticated, hard-to-detect pest maker code
- Outdated plugin in WordPress puts hundreds of thousands of websites at risk
The vulnerability was found by experts at Wordfence, which specializes in security in the WordPress environment, and is caused by a problem in checking the authentication numbers assigned to users. Each action, such as deleting a page or section, is given a code, called a nonce, which must match the system’s security mechanisms and serve, for example, to prevent modifications from direct URLs. The plugin, however, did not perform this verification properly, allowing changes to be made even by users with low access privileges.
As we are talking about an extension aimed at installing WordPress themes and demos, the absence of this check allows entire websites to be taken down or the complete cleaning of databases by third parties. According to Wordfence, even a recovery could be prevented after such an attack, unless the page administrators themselves have performed external backups.
The loophole was severe enough to allow even users at the Subscriber level, the lowest in the hierarchy and commonly used only for comments, to make such changes. Not only sites and posts could be deleted, but also other registered users, files available on servers and settings of the content management system itself, basically returning the entire platform to its initial preferences.
According to Wordfence, the vulnerability was discovered in late August, with the lack of response from the developers of the extension leading to it being removed from the official WordPress marketplace. It returned to the air last Sunday (24), already with an update that mitigates the problem — he, however, was not mentioned in the update notes released by those responsible.
In order to guard against openness, the recommendation is that Hashthemes Demo Importer users update the plugin immediately; the latest version is 1.1.4. The same goes for other extensions, as well as for WordPress itself, with maintenance ensuring that known and mitigated flaws do not pose a risk to site administrators.