Security researchers at Automattic and Wordfence have detailed a fairly critical security bug in UpdraftPlus, a popular WordPress plugin.
Researchers noted that this bug can let a semi-privileged user download site’s backups, and steal the sensitive data available in it. UpdraftPlus makers have released a patch and urged site admins to apply it.
Vulnerability in UpdraftPlus Plugin
UpdraftPlus, a WordPress plugin that’s used for creating, restoring, and migrating backups have now turned into a threat for millions of sites relying on it. This is due to a security vulnerability found in it, which can let a qualified attacker cause serious harm to the site’s data.
As written by researchers at Automattic (WordPress.com parent company) and Wordfence (a security company), the bug in UpdraftPlus will let a limited attacker (someone with basic user access to the target site) download the backup files. This is something that’s limited to only admin-level users of the site.
This was later confirmed by the UpdraftPlus team too in a security bulletin. On its website, UpdraftPlus claims to have over three million WordPress websites running its plugin, including Microsoft, Cisco, and NASA! And with the severity score it received (8.5/10), tracked as CVE-2022-0633 is considered a fairly serious threat.
The actual problem was said to be in the validation mechanism of the UpdraftPlus system, where it fails to recognize who’s requesting backups. And it’s named as the WordPress heartbeat function, by Wordfence researchers.
All an attacker has to do is to “send a specially crafted heartbeat request containing a data[updraftplus] parameter”. This will enable the attacker to obtain a backup log, containing all the senstive data stored by the site. This can primarily be used for identity theft, in case having PII, or other malicious attacks.
UpdraftPlus team has released a patch for this on Wednesday, as versions 1.22.3 (free) and 2.22.3 (paid) plug-ins, and urges the site admins to update as soon as possible.