A critical vulnerability has been identified in the Blaze Demo Importer plugin for WordPress, which allows any authenticated user, regardless of their permission level, to completely reset the website's database and delete files. Successful exploitation of this vulnerability would result in total data loss and a complete site outage, posing a severe risk to website integrity and availability.

The vulnerability exists due to a missing capability check within the blaze_demo_importer_install_demo function. This function, responsible for importing demo content, fails to verify if the user initiating the action has the appropriate administrative privileges. As a result, any authenticated user, including a low-privileged subscriber, can trigger this function and execute its powerful capabilities, leading to a complete database wipe and deletion of website files.

This vulnerability is rated as High severity with a CVSS score of 8.1. The primary business impact is the high probability of catastrophic data loss and extended website downtime. An attacker could intentionally or unintentionally wipe all website content, user data, and configurations, leading to significant financial costs for data recovery, reputational damage, and loss of customer trust. The operational disruption could be severe, requiring a full site restoration from backups, assuming they are available and current.

Immediate Action: Immediately update the Blaze Demo Importer plugin to the latest patched version provided by the vendor. If the plugin is not actively used or is no longer necessary for site operations, the recommended course of action is to deactivate and completely remove it to eliminate the attack surface.

Proactive Monitoring: Monitor web server access logs for any POST requests to wp-admin/admin-ajax.php containing the action parameter blaze_demo_importer_install_demo, especially from non-administrative users. Implement file integrity monitoring to detect unauthorized or large-scale file deletions within the WordPress installation directory. Regularly review WordPress audit logs for unusual actions performed by low-privileged accounts.

Compensating Controls: If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with rules specifically designed to block requests that call the vulnerable blaze_demo_importer_install_demo action. Restrict access to the WordPress administrative dashboard to trusted IP addresses only. Enforce the principle of least privilege for all user accounts and disable public user registration if not essential to the site's function.

Public Exploit Available: false

Given the high severity (CVSS 8.1) and the destructive potential of this vulnerability, immediate action is strongly recommended. Organizations using the affected Blaze Demo Importer plugin should prioritize applying the security update without delay. Due to the risk of complete data loss, verifying the integrity and availability of recent website backups is also a critical preparatory step. If the plugin's functionality is not a core requirement, removing it entirely is the most secure course of action.