"Critical Flaw in WordPress Plugin Leads to Database Wipe"

According to a warning from researchers at Packstack, a critical security flaw has been discovered in the WP Reset PRO WordPress plugin, which could allow an authenticated user to wipe a website's entire database. Any authenticated user, regardless of their authorization, can exploit the issue to wipe all tables in a WordPress installation's database. This would result in the restart of the WordPress installation process, thus an attacker could abuse this to create an administrator account onto the WordPress website. An attacker could further exploit the newly created account to upload malicious plugins to the website or install Trojan backdoors. WP Reset PRO helps site administrators easily reset a website's database to the default installation while leaving files intact in order to restore damaged sites and remove customizations. The plugin registers a few actions in the admin_action_* scope, including table deletion operations. A check is not performed to determine whether the user is authorized to perform such an action. As this vulnerability exists, someone could just visit the site's homepage to start the WordPress installation process, warned the researchers. WebFactory Ltd, which develops both the WP Reset and its PRO version, addressed the issue in version 5.99 of the plugin. This article continues to discuss the potential exploitation and impact of the flaw found in the WordPress plugin. 

Security Week reports "Critical Flaw in WordPress Plugin Leads to Database Wipe"