The plugin does not have capability checks in some of its AJAX action, relying on CSRF nonces for this, which are displayed for any authenticated users. As a result, a user with a role as low as subscriber could use the hdi_install_demo AJAX action to reset the entire blog (including the tables in the database except wp_options, wp_users, and wp_usermeta)
CPE | Name | Operator | Version |
---|---|---|---|
hashthemes-demo-importer | lt | 1.1.2 |