Critical WordPress plugin vulnerability allowed wiping databases

Share on facebook
Share on twitter
Share on linkedin
Share on reddit
Share on email

The vulnerability existed in the WP Reset PRO WordPress plugin which is used by more than 400,000 websites.

The IT security researchers at Patchstack (previously known as WebARX) have discovered a high severity security vulnerability in the WP Reset PRO WordPress plugin that allows ‘authenticated’ users to wipe data from vulnerable websites. 

According to their advisory, the vulnerability can be exploited by an attacker to wipe the entire website’s database by simply visiting the site’s homepage to initiate the WordPress installation process. Patschstack CEO Oliver Sild called it a “destructive vulnerability” that can mainly cause problems for e-commerce websites that offer open registration.

About the vulnerability

It is worth noting that any authenticated user can exploit this vulnerability whether they are authorized or not and wipe all tables stored in a WordPress installation database to restart the WordPress installation process. The exploitation requires the attacker to pass a query parameter such as “%%wp” to delete all

Read the article