HashThemes Demo Importer <= 1.1.1 is vulnerable to Improper Access Control allowing content deletion vulnerability

The Hashthemes Demo Importer Plugin for WordPress contained several AJAX functions which relied on a nonce which was visible to all logged-in users for access control in versions up to, and including 1.1.1. This made it possible for authenticated attackers with minimal permissions, such as a subscriber, to execute a function that dropped nearly all a sites database tables and removed the contents of wp-content/uploads.