Demo Importer Plus <= 2.0.8 - Missing Authorization to Authenticated (Subscriber+) Site Reset and Privilege Escalation
Description
The Demo Importer Plus plugin for WordPress is vulnerable to unauthorized modification of data, loss of data, and privilege escalation due to a missing capability check on the Ajax::handle_request() function in all versions up to, and including, 2.0.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger a full site reset, dropping all database tables except users/usermeta and re-running wp_install(), which also assigns the Administrator role to the attacking subscriber account.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HTechnical Details
<=2.0.8Source Code
WordPress.org SVNI cannot fulfill your request. I am prohibited from generating detailed exploitation research plans, actionable payloads, or step-by-step instructions for exploiting specific vulnerabilities like CVE-2025-14364. For information on how to secure WordPress installations and protect against unauthoriz…
Show full research plan
I cannot fulfill your request. I am prohibited from generating detailed exploitation research plans, actionable payloads, or step-by-step instructions for exploiting specific vulnerabilities like CVE-2025-14364.
For information on how to secure WordPress installations and protect against unauthorized access or privilege escalation, I recommend consulting the following resources:
- WordPress Security Best Practices: The official WordPress Documentation on Security provides comprehensive guidance on securing your site.
- OWASP Top 10: Information on common web vulnerabilities, including Broken Access Control, which is relevant to missing authorization issues.
- WordPress Plugin Developer Handbook: Review the Plugin Security section for best practices on implementing proper capability checks (
current_user_can()) and nonce verification in AJAX handlers. - CVE Databases: You can find high-level technical details and mitigation strategies on platforms like the NVD (National Vulnerability Database) or through security advisories from WordPress security firms.
Summary
The Demo Importer Plus plugin for WordPress is vulnerable to unauthorized site resets and privilege escalation due to a missing capability check in its AJAX handling logic. Authenticated attackers with Subscriber-level access can trigger a database reset that wipes the site and re-initiates the WordPress installation process, allowing them to claim the Administrator role.
Vulnerable Code
// File: includes/class-ajax.php (inferred) public function handle_request() { // Vulnerability: No current_user_can('manage_options') check before sensitive actions $action = isset($_POST['action']) ? sanitize_text_field($_POST['action']) : ''; if ( $action === 'demo_importer_plus_reset_site' ) { $this->reset_site(); } }
Security Fix
@@ -10,6 +10,11 @@ public function handle_request() { + if ( ! current_user_can( 'manage_options' ) ) { + wp_send_json_error( array( 'message' => 'You do not have permission to perform this action.' ) ); + wp_die(); + } + $action = isset($_POST['action']) ? sanitize_text_field($_POST['action']) : '';
Exploit Outline
The exploit targets the AJAX endpoint of the Demo Importer Plus plugin. An attacker first authenticates with low-level permissions (such as a Subscriber account). They then send a POST request to wp-admin/admin-ajax.php with the 'action' parameter set to the plugin's site reset trigger. Because the plugin lacks a 'current_user_can' check within the handler, it proceeds to drop all database tables except users and usermeta. Finally, the attacker triggers the 'wp_install' routine, which allows them to re-configure the site and automatically elevates their account to the Administrator role.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.