Vulnerability In UpdraftPlus WordPress Plugin Could Expose Backups

2.7K

A severe vulnerability in the UpdraftPlus WordPress plugin could expose backups to subscribers. Thankfully, the developers patched the flaw following the bug report, WordPress admins should update their websites with the latest plugin version.

UpdraftPlus WordPress Plugin Vulnerability

Wordfence shared details about the severe security vulnerability in the Updraft Plus plugin that could expose WordPress backups.

UpdraftPlus is a dedicated plugin for WordPress sites that simplifies backups and restoration. The plugin currently boasts over 3 million active installations. It means any security vulnerability in this plugin could potentially risk millions of WordPress sites.

As elaborated in their post, they found a security flaw that would allow any authenticated site user to download backups made via this plugin. It includes users with any privileges, even the subscribers.

The vulnerability typically existed in the plugin’s functionality, allowing site owners to send backup download links to preferred email addresses. Owing to improper implementation, the plugin would allow any user to craft download links and send them to their email addresses.

Regarding the issue, the post reads,

The attack starts with the WordPress heartbeat function. The attacker needs to send a specially crafted heartbeat request containing a data[updraftplus] parameter. By supplying the appropriate subparameters, an attacker is able to obtain a backup log containing a backup nonce and timestamp which they can then use to download a backup.
Once the attacker has the backup nonce, they can trigger the maybe_download_backup_from_email function…

The attacker would have to pass the UpdraftPlus_Options::admin_page() === $pagenow check. Although, it requires the $pagenow global variable to be set to options-general.php, which is inaccessible to a subscriber-level user. However, an attacker could bluff the $pagenow check by sending a request to the admin-post.php endpoint.

After bypassing this check, the adversary could provide the backup nonce and timestamp to get the backup.

Patch Deployed – Update Now

Initially, the researchers noticed that exploiting the flaw would require the attacker to start the attack during an in-process backup. However, they later discovered that the bug was even more severe.

We have found that it is possible to obtain a full log containing a backup nonce and timestamp at any time, making this vulnerability significantly more exploitable.

The researchers promptly reached out to the plugin developers to report the flaw, who, in turn, released a fix.

The vulnerability, CVE-2022-0633, has received a high-severity rating with a CVSS score of 8.5.

Team Wordfence has confirmed that the Updraft Plugin version 1.22.3 includes the patch for this bug.

However, the changelog on the plugin page shows that the developers have also released another update, version 1.22.4 meanwhile. Therefore, all WordPress admins running this plugin on their sites should ensure updating their websites to the plugin version 1.22.3 or later to get the fix.