A WordPress plugin has been found to contain “easily exploitable” security issues that can be abused to completely take over vulnerable websites.
The plugin at the heart of the matter, WP Database Reset, is used to reset databases – either fully or based on specific tables – without the need to go through the standard WordPress installation process. According to the WordPress library, the plugin is active on over 80,000 websites.
On January 16, the Wordfence security team said that two severe vulnerabilities were found on January 7 and “either of the vulnerabilities can be used to force a full website reset or takeover.”
The first WordPress plugin vulnerability tracked as CVE-2020-7048 and has been issued a CVSS score of 9.1. As none of the database reset functions was secured through any checks or security nonces, any user was able to reset any database tables they wished without authentication.
All it would take to reset a website back to the basics was a simple request – wiping out posts, pages, comments, users, uploaded content, and more in a matter of seconds.
The other WordPress plugin vulnerability, tracked as CVE-2020-7047 and issued a CVSS score of 8.1, allowed any authenticated user – no matter their permissions level – to not only grant themselves god-level administrative privileges but also “drop all other users from the table with a simple request.“
Wordfence recommended that users of the plugin must immediately update to the latest version of WP Database Reset, 3.15.