Secure your WordPress backups. Critical vulnerability in UpdraftPlus plugin affects millions of websites

The developers of the popular UpdraftPlus plugin announced a series of updates to address a vulnerability that would allow any user who has logged into a WordPress website with this plugin to download the backups available on the systems, which could potentially lead to the leakage of sensitive information.

Wordfence researchers published a proof of concept (PoC) demonstrating that the attack depends on the existence of a backup, plus attackers would have to guess the proper timestamp for downloading the information. According to experts, there are some features that make the vulnerability more exploitable.

UpdraftPlus announced that the flaw was addressed with the release of version 1.22.3, asking users of affected versions to update as soon as possible: “UpdraftPlus is a backup plugin and as such is expected to allow you to download this information. One of its main features is the ability to send links for the download of these backups to a default email address; unfortunately, this functionality was implemented insecurely, allowing low-level authenticated users to create valid links to download backup files,” the developers added.

The error relates to the verification function UpdraftPlus_Options::admin_page() === $pagenow. A threat actor could evade this verification for the plugin to interpret the request as being for options-general.php, while WordPress still considers the request to be for an admin-post.php allowed endpoint.

Exploiting the vulnerability also requires hackers to control an active account on the affected system: “Due to its features, the attack is likely to only be used in targeted attacks,” the researchers add.

Wordfence concluded its report by recommending users upgrade to the latest version available: “We recommend WordPress website administrators using this plugin to update as soon as possible to mitigate the risk of sensitive data leakage.” The researchers also mentioned that so far no active exploitation attempts have been detected.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.