Getty Images
Millions of WordPress sites received a forced update over the past day to fix a critical vulnerability in a plugin called UpdraftPlus.
The mandatory patch came at the request of UpdraftPlus developers due to the severity of the vulnerability, allowing untrusted subscribers, customers and others to the site’s database as long as they have an on the compromised site. Databases often contain sensitive information about customers or site security settings, leaving millions of sites vulnerable to serious data breaches that leak s, names, IP addresses, and more.
Bad results, easy to exploit
UpdraftPlus simplifies the process of backing up and restoring website databases and is the most widely used online scheduler plugin for WordPress content management system. It simplifies data backup to Dropbox, Google Drive, Amazon S3 and other cloud services. Its developers also say that it allows s to schedule regular backups and is faster and uses fewer server resources than competing WordPress plugins.
“This bug is very easy to exploit, with some very bad results if it is exploited,” said Mark Mon, the security researcher who discovered the vulnerability and informed the plugin developers. “It has allowed low-privileged s to site backups, which include raw database backups. Low-privileged s can mean a lot of things. Regular subscribers, customers (on e-commerce sites, for example), etc.”
Mon, a researcher with website security firm Jet, said he discovered the vulnerability during a security audit of the plugin and provided details to UpdraftPlus developers on Tuesday. A day later, the developers published a fix and agreed to force it to be installed on WordPress sites that had the plugin installed.
Statistics provided by WordPress.org show 1.7 million sites received the update on Thursday, and more than 287,000 others had it installed as of press time. WordPress says the plugin has more than 3 million s.
In revealing the vulnerability on Thursday, UpdraftPlus Wrote:
This flaw allows any logged in on a WordPress installation with an active UpdraftPlus to exercise the privilege to an existing backup, a privilege that should be restricted to istrative s only. This was possible due to the loss of permissions to check code related to checking the current backup state. This allowed an internal identifier that was otherwise unknown to be obtained that could then be used to the verification process on permission.
This means that if your WordPress site allows untrusted s to to WordPress, and if you have any existing backup, you are likely to be vulnerable to a technically savvy working out how to your current backup. Affected sites are at risk of data loss/data theft by an attacker accessing a copy of your site backup, if your site contains anything that is not public. I say “technically skilled” because at that point, no general evidence has been given of how to take advantage of this exploit. At this time, you are relying on a hacker who is reverse engineering changes in the latest version of UpdraftPlus to solve this problem. However, you should definitely not rely on this time consuming command but update immediately. If you are the only on your WordPress site, or if all of your s are trusted, you are not at risk, but we still recommend updating in any case.
“Web specialist. Lifelong zombie maven. Coffee ninja. Hipster-friendly analyst.”
