- A WordPress plugin that has over 8,000 active installs has shown a AJAX nonce error.
- The Hashthemes Demo Importer vulnerability permits site wipes and was discovered in late August, 2021.
- A new version 1.1.2 of the plugin has been put up, although no changenotes have been published.
Hashthemes, a WordPress plugin with 8,000 active installations, allowed hackers to completely reset a site, deleting almost all the content from its database. This vulnerability was disclosed on August 25 by Wordfence Threat Intelligence, but the plugin developers gave no response. The researchers contacted the WordPress plugins team on September 20, 2021, so the plugin was temporarily removed that day, and a patch was released four days later.
This flaw was marked CVE-2021-39333 and got a "high" score. The patched version 1.1.2 went online on the WordPress plugins page, but there is no mention of it in the changelog or anything addressing the vulnerability.
According to the researchers, the plugin had an AJAX nonce visible on the admin dashboard for all users while performing a nonce check, even to highly-restricted privilege users like subscribers. From this, even a low-privilege user such as a subscriber could change the entire content of a website or delete everything.
This is done by the hdi_install_demo AJAX function where any user can reset the website by setting the parameter to 'true.' This would reset every site parameter, including wp_options, wp_users, and wp_usermeta. After wiping the database, the Hashthemes plugin would initiate the clear_uploads function that would delete every file and folder in wp-content/uploads.
As a protection against this vulnerability, Wordfence Premium customers received a firewall rule on the day of the disclosure, and the free version customers got it as well, but on the same day when the patch came.
This year, another two vulnerabilities were discovered in WordPress. The first was from an Authenticated SQL Injection and the second from a Stored XSS (Cross-Site Scripting) via Cross-Site Request Forgery (CSRF).