Jan 17, 2020

By Critical bugs found in the WordPress Database Reset plugin used by over 80,000 sites allow attackers to drop all users and get automatically elevated to an administrator role and to reset any table in the database. The open-source WP Database Reset WordPress plugin maintained by WebFactory Ltd is designed to help reset databases to default settings with a few mouse click, wiping all the data stored in the database including posts, pages, users, and more. WP Database Reset makes it possible to choose between resetting a website's entire database or to reset only specific tables. Using the WP Database Reset plugin (WebFactory Ltd) Unauthenticated database reset and privilege escalation The two vulnerabilities tracked as  CVE-2020-7048  and  CVE-2020-7047 , rated as Critical and High  severity, were patched with the release of WP Database Reset 3.15 , a week after the initial disclosure from WordFence, the WordPress security firm that discovered the flaw. During the last two days since the patched version was released, a little over 8,300 users have already updated their installations, with more than 71,000 still having to secure their websites from potential attacks. "One of these flaws allowed any unauthenticated user to reset any table from the database to the initial WordPress set-up state, while the other flaw allowed any authenticated user, even those with minimal permissions, the ability to grant their account administrative privileges while dropping all other users from the table with a simple request," WordFence's Chloe Chamberland says . Successful exploitation of the two flaws on unpatched WordPress sites could lead to full site takeover and/or database reset. Vulnerable database reset function (WordFence) The CVE-2020-7048 authentication bypass flaw is caused by  improper authentication  stemming from missing capability checks or security nonce protection. Poorly implemented privilege management is behind CVE-2020-7047, a bug that allows site users with subscriber or higher permissions to reset the wp_users table and, after dropping all other users with a simple request, and automatically getting elevated to an admin role. "A site owner allowing open registration on a site with a vulnerable version of the WP Database Reset plugin could lose control of their site," the Wordfence Threat Intelligence team report adds. To defend against attacks abusing these flaws, the security outfit advises admins to update to WP Database Reset 3.15 immediately and to keep up to date site backups stored on a different server than the one hosting their WordPress installation. WordFence also created a video demonstration of how an exploit targeting these vulnerabilities would work.