Researchers from cybersecurity form Packstack have discovered a critical vulnerability in the WP Reset PRO WordPress plugin that could be exploited by an authenticated user to completely wipe the database of a website.
Once completely wiped the database of a website running the popular CMS, it will trigger the restart of the installation process. Then the attacker can create an administrator account associated with the installation process. The admin account can also be abused to upload malicious plugins to the website or even to upload a backdoor.
“The PRO version of the WP Reset plugin (versions 5.98 and below) suffers from a vulnerability that allows any authenticated user, regardless of their authorization, to wipe the entire database.” reads the analysis published by Packstack. “Because it wipes all tables in the database, it will restart the WordPress installation process which could allow an attacker to launch this installation process and then create an administrator account at the end of this process as by default an administrator account has to be created once the WordPress site has been installed.
After this, they could further exploit the site by uploading a malicious plugin or uploading a backdoor.”
The WP Reset PRO plugin allows site administrators to easily restore damaged sites by resetting a website’s database to the default installation without modifying its files. The plugin allows to delete any customization and content or just chosen parts like theme settings.
The root cause of this vulnerability is the lack of authorization and nonce token check. The experts noticed that the plugin registers a few actions in the admin_action_* scope, including admin_action_wpr_delete_snapshot_tables.
The problem is that no check is performed to determine whether the user is authorized to perform such an action, and because a nonce token to prevent CSRF attacks isn’t validated or checked.
“It can be seen that the uid query parameter is grabbed from the URL, which is directly used as a prefix of the tables that should be deleted. Since the LIKE operator is used, we can pass a query parameter such as %%wp to delete all tables with the prefix wp.” continues the post.
“Once this is done, someone could simply visit the homepage of the site to start the WordPress installation process.“
The development team at WebFactory Ltd behind the plugin addressed the flaw with the release of the plugin version 5.99. The developers implemented an authentication and authorization check, and a check for a valid nonce token.
Below is the timeline for this vulnerability:
27-09-2021 – We discovered the vulnerability in WP Reset PRO and released a virtual patch to all Patchstack paid version customers.
27-09-2021 – We reached out to the developer of the plugin.
28-09-2021 – The developer replied and we provided the vulnerability information.
28-09-2021 – The developer released a new plugin version, 5.99, which fixes this issue.
10-11-2021 – Published the article.
10-11-2021 – Added the vulnerability to the Patchstack vulnerability database.
(SecurityAffairs – hacking, WordPress)