CVE-2020-7048

CRITICAL LAB

Webfactoryltd WP Database Reset < 3.1 - Missing Authentication

Title source: rule

Description

The WordPress plugin, WP Database Reset through 3.1, contains a flaw that allowed any unauthenticated user to reset any table in the database to the initial WordPress set-up state (deleting all site content stored in that table), as demonstrated by a wp-admin/admin-post.php?db-reset-tables[]=comments URI.

Exploits (1)

nomisec SUSPICIOUS 5 stars

by ElmouradiAmine · poc

https://github.com/ElmouradiAmine/CVE-2020-7048

View Code ZIP pw:eip

References (3)

[Release Notes, Third Party Advisory] https://wordpress.org/plugins/wordpress-database-reset/#developers

[Third Party Advisory] https://wpvulndb.com/vulnerabilities/10027

[Exploit, Patch, Third Party Advisory] https://www.wordfence.com/blog/2020/01/easily-exploitable-vulnerabilities-patched-in-wp-database-reset-plugin/

Scores

CVSS v3 9.1

EPSS 0.4706

EPSS Percentile 97.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Lab Environment

COMMUNITY

Community Lab

docker pull wordpress:latest

https://github.com/ElmouradiAmine/CVE-2020-7048

View in Library

Details

CWE

CWE-306

Status published

Products (1)

webfactoryltd/wp_database_reset < 3.1

Published Jan 16, 2020

Tracked Since Feb 18, 2026