Popular WordPress Plugin Vulnerable To Exploitation And Can Be Used To Hijack Complete Website, Warns Security Experts

A popular WordPress plugin that helps website administrators with maintenance and upkeep activities, is extremely vulnerable to exploitation. Easily manipulated, the plugin can be used to render the complete website inactive or attackers can take over the same with admin privileges. The security flaw within the popular WordPress Plugin has been tagged as ‘Critical’ and accorded one of the highest CVSS scores.

A WordPress Plugin can be used with minimal oversight from authorized administrators. The vulnerability apparently leaves database functions completely unsecured. This means any user can potentially reset any database tables they wished, without authentication. Needless to add, this means posts, comments, entire pages, users and their uploaded content could be wiped out easily in a matter of seconds.

WordPress Plugin ‘WP Database Reset’ Vulnerable To Easy Exploitation And Manipulation For Website Takeover Or Takedown:

As the name implies, the WP Database Reset plugin is used to reset databases. Website administrators can choose between full or partial reset. They can even order a reset based on specific tables. The biggest advantage of the plugin is convenience. The plugin avoids the painstaking task of standard WordPress installation.

The Wordfence security team, which uncovered the flaws, indicated that two severe vulnerabilities within the WP Database Reset plugin were found on January 7. Either of the vulnerabilities can be used to force a full website reset or takeover the same.

The first vulnerability has been tagged as  CVE-2020-7048 and issued a CVSS score of 9.1. This flaw exists in the database reset functions. Apparently, none of the functions were secured through any checks, authentication or verification of privileges. This means any user could reset any database tables they wished, without authentication. The user had to merely put up a simple call request for the WP Database Reset plugin, and could effectively wipe out pages, posts, comments, users, uploaded content, and much more.

The second security vulnerability has been tagged as CVE-2020-7047 and issued a CVSS score of 8.1. Although a slightly lower score than the first one, the second flaw is equally dangerous. This security flaw allowed any authenticated user to not only grant themselves god-level administrative privileges but also “drop all other users from the table with a simple request.” Shockingly, the permission level of the user did not matter. Speaking about the same, Wordfence’s Chloe Chamberland, said,

“Whenever the wp_users table was reset, it dropped all users from the user table, including any administrators, except for the currently logged-in user. The user sending the request would automatically be escalated to the administrator, even if they were only a subscriber.”

As the sole administrator, the user could essentially hijack a vulnerable website and effectively gain full control of the Content Management System (CMS). According to the security researchers, the developer of the WP Database Reset plugin has been alerted, and a patch for the vulnerabilities was supposed to be deployed this week.

The latest version of the WP Database Reset plugin, with the patches included, is 3.15. Given the severe security risk as well as the high chances of permanent data elimination, administrators must either update the plugin or remove the same completely. According to experts, about 80,000 websites have the WP Database Reset plugin installed and active. However, a little more than 5 percent of these websites appear to have performed the upgrade.

Alap Naik Desai
A B.Tech Plastics (UDCT) and a Windows enthusiast. Optimizing the OS, exploring software, searching and deploying solutions to strange and weird issues is Alap's main interest.