A serious security bug in the WP Reset PRO plugin could prove devastating for the websites using it. Exploiting the flaw could allow an adversary to wipe a site’s databases or gain admin access. Since the developers have patched the flaw, users must update their websites with the latest plugin version.
WP Reset PRO Plugin Bug
Researchers from Patchstack discovered a bug in the WP Reset PRO plugin that allowed an authenticated attacker to wipe databases.
Further, since the bug triggered WordPress reinstallation, the adversary could even take over the website upon subsequent installation. It would then give the attacker the liberty to run malicious codes or install backdoors to the site.
Sharing the details in a blog post, the researchers elaborated that the vulnerability existed due to the lack of authorization checks.
The plugin registers a few actions in the
admin_action_* scope. In the case of this vulnerability, it’s
admin_action_* scope does not perform a check to determine if the user is authorized to perform said action, nor does it validate or check a nonce token to prevent CSRF attacks…
It can be seen that the
uidquery parameter is grabbed from the URL, which is directly used as a prefix of the tables that should be deleted. Since the LIKE operator is used, we can pass a query parameter such as
%%wpto delete all tables with the prefix wp.
After wiping the databases, the WordPress reinstallation process would begin. Then the adversary could create an admin account for elevated privileges.
Patched Version Released
The researchers discovered that the vulnerability affected all WP Reset PRO plugin versions 5.98 and earlier.
Following this discovery, they reached out to the plugin team which then release WP Reset PRO plugin version 5.99 with the fix.
All users should now update their websites with the plugin version 5.99 to receive the patch.