WordPress plugin vulnerability can be exploited for total website takeover

The “easily exploitable” bug in WP Database Reset has serious consequences for webmasters.

Critical bugs in WordPress plugins put over 300,000 websites at risk

A WordPress plugin has been found to contain "easily exploitable" security issues that can be exploited to completely take over vulnerable websites. 

The plugin at the heart of the matter, WP Database Reset, is used to reset databases -- either fully or based on specific tables -- without the need to go through the standard WordPress installation process. 

According to the WordPress library, the plugin is active on over 80,000 websites. 

On Thursday, the Wordfence security team said that two severe vulnerabilities were found on January 7. Either of the vulnerabilities can be used to force a full website reset or takeover, according to Wordfence's Chloe Chamberland.

Tracked as CVE-2020-7048, the first critical security flaw has been issued a CVSS score of 9.1. As none of the database reset functions were secured through any checks or security nonces, any user was able to reset any database tables they wished without authentication. 

See also: Critical bugs in WordPress plugins InfiniteWP, WP Time Capsule expose 320,000 websites to attack

All it would take to reset a website back to the basics was a simple request -- wiping out posts, pages, comments, users, uploaded content, and more in a matter of seconds. 

The other vulnerability, tracked as CVE-2020-7047 and issued a CVSS score of 8.1, allowed any authenticated user -- no matter their permissions level -- to not only grant themselves god-level administrative privileges but also "drop all other users from the table with a simple request."

"Whenever the wp_users table was reset, it dropped all users from the user table, including any administrators, except for the currently logged-in user," Chamberland says. "The user sending the request would automatically be escalated to administrator, even if they were only a subscriber."

Left as the only administrator, an attacker would, therefore, be able to hijack a vulnerable website and seize full control of the content management system. 

CNET: FBI will start notifying states when hackers hit local elections

WP Database Reset's developer was made aware of the security issues on January 8 after the security team verified their findings. By January 13, the developer had responded with the promise a patch would be released on January 14, leading to public disclosure several days later. 

It is recommended that users of the plugin immediately update to the latest version of WP Database Reset, 3.15. At the time of writing, only 5.2 percent of users have performed the upgrade. 

TechRepublic: These subject lines are the most clicked for phishing

Earlier this week, users of the InfiniteWP Client And WP Time Capsule WordPress plugins were warned to update their software to the latest versions available in order to mitigate the risk of exploit through newly-reported vulnerabilities. 

Together, the pair of plugins are used on roughly 320,000 active websites. Logic errors found in the code could be exploited to allow attackers to login without a password, and as malicious payloads exploiting these logic errors can bypass firewall protections, updating is crucial.  

Previous and related coverage