Millions of WordPress Sites Get Forced Update to Fix Critical Plugin Flaw

Getty Images

Millions of WordPress sites received a forced update in the past day to fix a critical vulnerability in a plugin called UpdraftPlus.

The mandatory fix came at the request of UpdraftPlus developers due to the severity of the vulnerability, which allows untrusted subscribers, customers and others to download the site’s private database as long as they have an account on the vulnerable site. . Databases frequently include sensitive information about customers or site security settings, leaving millions of sites vulnerable to serious data breaches that spill passwords, usernames, IP addresses, and more. .

Bad results, easy to exploit

UpdraftPlus simplifies the process of backing up and restoring website databases and is the internet’s most widely used scheduled backup plugin for the WordPress content management system. It streamlines data backup to Dropbox, Google Drive, Amazon S3, and other cloud services. Its developers say it also allows users to schedule regular backups and is faster and uses less server resources than competing WordPress plugins.

“This bug is quite easy to exploit, with very poor results if exploited,” said Marc Montpas, the security researcher who discovered the vulnerability and privately reported it to the plugin’s developers. “This allowed low-privileged users to download a site’s backups, which include raw database backups. Low privilege accounts can mean a lot of things. Regular subscribers, customers (on e-commerce sites for example), etc.

Montpas, researcher at a website security company Jetpack sweep, said it found the vulnerability during a security audit of the plugin and provided details to UpdraftPlus developers on Tuesday. A day later, the developers released a patch and agreed to force-install it on WordPress sites where the plugin was installed.

Statistics provided by To display that 1.7 million sites received the update on Thursday and more than 287,000 more had installed it at press time. WordPress says the plugin has over 3 million users.

In disclosing the vulnerability on Thursday, UpdraftPlus wrote:

This flaw allows any logged in user on a WordPress installation with UpdraftPlus active to exercise the privilege to download an existing backup, a privilege that should have been reserved for administrative users only. This was possible due to a missing permissions check on the code related to checking the status of the current save. This obtained an internal identifier that was otherwise unknown and could then be used to pass a check during download authorization.

This means that if your WordPress site allows untrusted users to have a WordPress login, and if you have an existing backup, you are potentially vulnerable to a technically skilled user looking to download the existing backup. Affected sites risk losing or stealing data via the attacker accessing a backup copy of your site, if your site contains anything non-public. I say “technically qualified” because at this point no public proof of how to take advantage of this exploit has been made. At this point, he relies on a hacker reverse-engineering changes made to the latest version of UpdraftPlus to solve it. However, you should definitely not count on this time, but should update immediately. If you are the only user on your WordPress site, or if all of your users are trusted, then you are not vulnerable, but we still recommend updating in any case.

Esther L. Gunn