The flaw is found in the Hashthemes Demo Importer plugin, a plugin thats used in more than 8,000 sites. The vulnerability allows any authenticated user to completely exsanguinate a vulnerable site, deleting nearly all database content and uploaded media. The plugin is designed to let admins easily import demos for WordPress themes with a single click, without having to deal with dependencies such as XML files,.json theme options,.dat customizer files or widget files. WordPress temporarily removed the plugin from the repository, and a patched version was made available a few days later.”]
Source: https://threatpost.com/wordpress-plugin-bug-wipe-sites/175826/