Millions of WordPress sites received a required update over the past day to fix a critical vulnerability in a plugin called UpdraftPlus.
The mandatory patch was released at the request of UpdraftPlus developers because of the severity of the vulnerability, which allows untrusted subscribers, customers, and others to download a website’s private database as long as they have an account on the vulnerable site. The database often includes sensitive information about customers or websites’ privacy settings, leaving millions of websites vulnerable to serious impacts. data breach overflow passwords, usernames, IP addresses, etc.
Bad results, easy to exploit
UpdraftPlus simplifies the process of backing up and restoring website databases and is the most widely used scheduled backup plugin on the internet for the WordPress content management system. It streamlines backing up data to Dropbox, Google Drive, Amazon S3, and other cloud services. Its developers say it also allows users to schedule regular backups, which is faster and uses less server resources than competing WordPress plugins.
“The bug is fairly easy to exploit, with some very bad results if it is exploited,” said Marc Montpas, the security researcher who discovered the vulnerability and reported it exclusively to the plugin developers. . “It makes it possible for low-privileged users to download website backups, including raw database backups. Low-privileged accounts can make a lot of sense. Regular subscribers, customers (e.g. on e-commerce sites), etc.”
Montpas, a researcher at website security firm Jet, said he found the flaw in the plugin’s security testing and provided the details to UpdraftPlus developers on Tuesday. A day later, the developers announced the fix and agreed to force its installation on WordPress sites where the plugin was installed.
Statistics provided by WordPress.org only that 1.7 million websites received the update as of Thursday, and more than 287,000 more have installed it as of press time. WordPress says the plugin has more than 3 million users.
When it disclosed the vulnerability on Thursday, UpdraftPlus Written:
This bug allows any logged in user on a WordPress installation with an active UpdraftPlus to exercise the privilege of downloading an existing backup, a privilege that should have been restricted to administrative users only. This can happen because of the lack of permission checks on the code related to checking the current backup status. This allows for an internal identifier that is otherwise unknown and can then be used to pass checks when a download is authorized.
This means that if your WordPress site allows untrusted users to log in to WordPress and if you have any existing backups, then you are potentially vulnerable to an attack by a skilled user. good wizard is trying to download an existing backup. Affected websites are at risk of data loss / theft through an attacker accessing your website backup, if your site contains any non-public content. I say “technically skilled” because at the time, there was no public evidence of how to take advantage of this. At this point, it relies on the hacker reverse engineering the changes in the latest UpdraftPlus release to address that. However, you should definitely not expect this to take a long time, but should update immediately. If you are the only user on your WordPress site, or if all your users are trusted, then you are not vulnerable, but we still recommend updating in any case.
Hacker listens to heartbeat
In his private disclosureMontpas said the vulnerability stemmed from a number of flaws. The first is in Deploy UpdraftPlus of the WordPress heart rate function. UpdraftPlus did not properly authenticate that the user who submitted the request had administrative privileges. That represents a serious problem because the function fetches a list of all active backup jobs and the latest backup date of the site. Included in that data are custom nonce which the plugin is used for secure backups.
“As a result, an attacker can make a malicious request targeting this heartbeat callback to gain access to information about the latest backup of the website to date, among other things. , will contain the nonce of the backup,” Montpas wrote.
