The vulnerability existed in the WP Reset PRO WordPress plugin which is used by more than 400,000 websites.
The IT security researchers at Patchstack (previously known as WebARX) have discovered a high severity security vulnerability in the WP Reset PRO WordPress plugin that allows ‘authenticated’ users to wipe data from vulnerable websites.
According to their advisory, the vulnerability can be exploited by an attacker to wipe the entire website’s database by simply visiting the site’s homepage to initiate the WordPress installation process. Patschstack CEO Oliver Sild called it a “destructive vulnerability” that can mainly cause problems for e-commerce websites that offer open registration.
About the vulnerability
It is worth noting that any authenticated user can exploit this vulnerability whether they are authorized or not and wipe all tables stored in a WordPress installation database to restart the WordPress installation process. The exploitation requires the attacker to pass a query parameter such as “%%wp” to delete all the tables with the prefix wp.
A threat actor can abuse this flaw to create an administrator account onto the website, which is necessary to complete the installation process. Moreover, the attacker can exploit this new admin account to upload malicious plugins to the website or install trojan backdoors.
“The issue in this plugin is caused due to a lack of authorization and nonce token check. The plugin registers a few actions in the admin_action_* scope. In the case of this vulnerability, it’s admin_action_wpr_delete_snapshot_tables,” the advisory read.
“Unfortunately, the admin_action_* scope does not perform a check to determine if the user is authorized to perform said action, nor does it validate or check a nonce token to prevent CSRF attacks.”
Which Versions Are Impacted?
This vulnerability, tracked as CVE-2021-36909, impacts premium versions of the WP Reset Plugin, including all versions released until v. 5.98. The plugin is designed to help admins reset the whole website or some parts of it to perform faster debugging and testing and restore the site from built-in snapshots. All of this is done via a single mouse click.
For your information, the free and open-source version of WP Reset, developed by WebFactory Ltd., is listed in the WordPress plugin repository boasting over 300,000 active installations. According to its developer, the number of users has already exceeded 400,000.
Sild explained that the bug could be exploited to access other websites on the same server.
“If there is an old site forgotten to a subdirectory (we see that a lot) that has that plugin installed and the server environment is connected, then this would allow getting access to other sites in the same environment,” Sild noted.
The bug was fixed in WP Reset PRO 5.99 on September 28, 2021. Therefore, update the plugin to the latest version if you have not done it already.