A severe vulnerability in the UpdraftPlus WordPress plugin could expose backups to subscribers. Thankfully, the developers patched the flaw following the bug report, WordPress admins should update their websites with the latest plugin version.
UpdraftPlus WordPress Plugin Vulnerability
Wordfence shared details about the severe security vulnerability in the Updraft Plus plugin that could expose WordPress backups.
UpdraftPlus is a dedicated plugin for WordPress sites that simplifies backups and restoration. The plugin currently boasts over 3 million active installations. It means any security vulnerability in this plugin could potentially risk millions of WordPress sites.
As elaborated in their post, they found a security flaw that would allow any authenticated site user to download backups made via this plugin. It includes users with any privileges, even the subscribers.
The vulnerability typically existed in the plugin’s functionality, allowing site owners to send backup download links to preferred email addresses. Owing to improper implementation, the plugin would allow any user to craft download links and send them to their email addresses.
Regarding the issue, the post reads,
The attack starts with the WordPress
heartbeatfunction. The attacker needs to send a specially crafted heartbeat request containing a
data[updraftplus]parameter. By supplying the appropriate subparameters, an attacker is able to obtain a backup log containing a backup nonce and timestamp which they can then use to download a backup.
Once the attacker has the backup nonce, they can trigger the
The attacker would have to pass the
UpdraftPlus_Options::admin_page() === $pagenow check. Although, it requires the
$pagenow global variable to be set to
options-general.php, which is inaccessible to a subscriber-level user. However, an attacker could bluff the
$pagenow check by sending a request to the
After bypassing this check, the adversary could provide the backup nonce and timestamp to get the backup.
Patch Deployed – Update Now
Initially, the researchers noticed that exploiting the flaw would require the attacker to start the attack during an in-process backup. However, they later discovered that the bug was even more severe.
We have found that it is possible to obtain a full log containing a backup nonce and timestamp at any time, making this vulnerability significantly more exploitable.
The researchers promptly reached out to the plugin developers to report the flaw, who, in turn, released a fix.
The vulnerability, CVE-2022-0633, has received a high-severity rating with a CVSS score of 8.5.
However, the changelog on the plugin page shows that the developers have also released another update, version 1.22.4 meanwhile. Therefore, all WordPress admins running this plugin on their sites should ensure updating their websites to the plugin version 1.22.3 or later to get the fix.