Security experts from Wordfence discovered two security vulnerabilities in the WP Database Reset WordPress plugin that can van be used to take over the vulnerable websites.
The WordPress Database Reset plugin allows users to reset the database (all tables or the ones you choose) back to its default settings without having to go through the WordPress, it has over 80,000 installs.
“On January 7th, our Threat Intelligence team discovered vulnerabilities in WP Database Reset, a WordPress plugin installed on over 80,000 websites.” reads the analysis published by Wordfence. “One of these flaws allowed any unauthenticated user to reset any table from the database to the initial WordPress set-up state, while the other flaw allowed any authenticated user, even those with minimal permissions, the ability to grant their account administrative privileges while dropping all other users from the table with a simple request.”
The first critical vulnerability, tracked as CVE-2020-7048, has been assigned a CVSS score of 9.1. The experts discovered that none of the database reset functions were secured potentially allowing any user to reset any database table without authentication.
The second vulnerability, tracked as CVE-2020-7047, has received a CVSS score of 8.1 and allowed any authenticated to drop all other users by resetting the wp_users table and escalate to administrative privileges.
“Dropping all users during a database reset may be problematic, but we can always recreate users, right? Unfortunately, this was more complex. Whenever the wp_users table was reset, it dropped all users from the user table, including any administrators, except for the currently logged-in user.” continues the analysis. “The user sending the request would automatically be escalated to administrator, even if they were only a subscriber. That user would also become the only administrator, thus allowing an attacker to fully take over the WordPress site.”
Below the disclosure timeline:
January 7th, 2020 – Vulnerability initially discovered and analyzed.
January 8th, 2020 – Full details disclosed to plugin developer and custom firewall rule released to Wordfence premium users.
January 13th, 2020 – Developer responds and notifies us that a patch will be released the next day.
January 14th, 2020 – Patch released.
January 16th, 2020 – Public disclosure.
Users of the above plugin have to update their installs to the latest version of WP Database Reset, 3.15.
Earlier this week, experts at security firm WebArx have disclosed vulnerabilities in WP Time Capsule and InfiniteWP plugins, both were patched earlier this month by the developer Revmakx.
The flaws in WP Time Capsule and InfiniteWP WordPress plugins could be exploited to take over websites running the popular CMS that are more than 320,000.
(SecurityAffairs – WP Database Reset, hacking)