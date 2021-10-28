Another week, another crash in a WordPress plugin; this time allowed an attacker to take posts and even an entire website down, from a breach in a user checking system. The opening was in the Hashthemes Demo Importer extension, which, according to official figures, would be installed in more than eight thousand vehicles that use the publication management system. WordPress extension failure may have put thousand sites at risk WordPress becomes a nest of sophisticated, hard-to-detect, pest-creating code Outdated plugin in WordPress puts hundreds of thousands of websites at risk The vulnerability was found by experts at Wordfence, which specializes in security in the WordPress environment, and is caused by a problem in checking the authentication numbers assigned to users. Each action, such as deleting a page or section, is given a code, called a nonce, which must match the system’s security mechanisms and serve, for example, to prevent modifications from direct URLs. The plugin, however, did not perform this verification properly, allowing changes to be made even by users with low access privileges. As we are talking about an extension aimed at installing themes and WordPress demos, the absence of this check allows entire websites to be taken down or databases to be completely wiped out by third parties. According to Wordfence, even recovery could be prevented after such an attack, unless the page administrators themselves have performed external backups. Want to catch up on the best tech news of the day? Go and subscribe to our new channel on youtube, Canaltech News. Every day a summary of the main news in the tech world for you!

The breach was severe enough to allow even users of the Subscriber level, the lowest in the hierarchy and commonly used for comments only, could make such changes. Not only sites and posts could be deleted, but also other registered users, files available on the servers and settings of the content management system itself, basically, returning the entire platform to its initial preferences.

According to Wordfence, the vulnerability was discovered in late August, with the lack of response from the developers of the extension leading to it being removed from the official WordPress marketplace. It returned to the air last Sunday (), already with an update that mitigates the problem — it, however, was not mentioned in the update notes released by those responsible.

In order to guard against opening, the recommendation is that Hashthemes Demo Importer users update the plugin immediately; the latest version is 1.1.4. The same goes for other extensions, as well as for WordPress itself, with maintenance ensuring that known and mitigated flaws do not pose a risk to site administrators.

Source: Wordfence

Did you like this article? Subscribe your email on Canaltech to receive daily updates with the latest news from the world of technology.

90