A major security vulnerability in the WP Reset PRO WordPress plugin could be exploited by an authenticated user to wipe the entire database of a website. The issue can be exploited by any authenticated user, regardless of their authorization, to wipe all tables in a WordPress installation database.
This would trigger the restart of the WordPress installation process. An attacker could abuse this to create an administrator account onto the WordPress website to upload malicious plugins to the website, or even install trojan backdoors.
WP Reset PRO aims to help site administrators to easily reset a website’s database to the default installation while leaving files intact, to restore damaged sites, and remove customizations or parts of the site.
WP Reset PRO registers a few actions in the admin_action_* scope, including table deletion operation, but no check is performed to learn whether the user is indeed authorized to perform such an action, and because a nonce token to prevent CSRF attacks isn’t validated or checked.
With this vulnerability, someone could simply visit the homepage of the site to start the WordPress installation process.It’s quite a destructive vulnerability, quite a problem for e-commerce and other sites that have open registration.
WebFactory to Ltd, which develops both the WP Reset and its PRO version, addressed the issue in version 5.99 of the plugin, by adding an authentication and authorization check, along with a check for a valid nonce token.