Millions of WordPress sites get a forced update to correct an additional flaw in plugins

Millions of WordPress sites received a forced update over the past day to fix a critical vulnerability in a plugin called UpdraftPlus.

The mandatory patch came at the request of UpdraftPlus developers due to the severity of the vulnerability, allowing untrusted subscribers, customers and others to download the site’s database as long as they have an account on the compromised site. Databases often contain sensitive information about customers or site security settings, leaving millions of sites vulnerable to serious data breaches that leak passwords, usernames, IP addresses, and more.

Bad results, easy to exploit

UpdraftPlus simplifies the process of backing up and restoring website databases and is the most widely used online scheduler plugin for WordPress content management system. It simplifies data backup to Dropbox, Google Drive, Amazon S3 and other cloud services. Its developers also say that it allows users to schedule regular backups and is faster and uses fewer server resources than competing WordPress plugins.

“This bug is very easy to exploit, with some very bad results if it is exploited,” said Mark Monpass, the security researcher who discovered the vulnerability and informed the plugin developers. “It has allowed low-privileged users to download site backups, which include raw database backups. Low-privileged accounts can mean a lot of things. Regular subscribers, customers (on e-commerce sites, for example), etc.”

Monpass, a researcher with website security firm Jet, said he discovered the vulnerability during a security audit of the plugin and provided details to UpdraftPlus developers on Tuesday. A day later, the developers published a fix and agreed to force it to be installed on WordPress sites that had the plugin installed.

Statistics provided by WordPress.org show 1.7 million sites received the update on Thursday, and more than 287,000 others had it installed as of press time. WordPress says the plugin has more than 3 million users.

In revealing the vulnerability on Thursday, UpdraftPlus Wrote:

This flaw allows any user logged in on a WordPress installation with an active UpdraftPlus to exercise the privilege to download an existing backup, a privilege that should be restricted to administrative users only. This was possible due to the loss of permissions to check code related to checking the current backup state. This allowed an internal identifier that was otherwise unknown to be obtained that could then be used to pass the verification process on download permission.

This means that if your WordPress site allows untrusted users to log into WordPress, and if you have any existing backup, you are likely to be vulnerable to a technically savvy user working out how to download your current backup. Affected sites are at risk of data loss/data theft by an attacker accessing a copy of your site backup, if your site contains anything that is not public. I say “technically skilled” because at that point, no general evidence has been given of how to take advantage of this exploit. At this time, you are relying on a hacker who is reverse engineering changes in the latest version of UpdraftPlus to solve this problem. However, you should definitely not rely on this time consuming command but update immediately. If you are the only user on your WordPress site, or if all of your users are trusted, you are not at risk, but we still recommend updating in any case.