Vulnerability in UpdraftPlus plugin exposed millions of WordPress site backups

A high-severity vulnerability in the WordPress UpdraftPlus plugin may allow an attacker to obtain website backups that could contain sensitive information.

UpdraftPlus provides site administrators with backup and restore capabilities, allowing them to store backups in the cloud and restore them with the click of a button. The plugin has over three million active installs.

On February 16, the plugin developers released an update to resolve CVE-2022-0633 (CVSS score of 8.5), a security error that allows even users with subscriber-level permissions to access any backup created with UpdraftPlus.

“This flaw allows any user logged into a WordPress installation with UpdraftPlus active to exercise the privilege to download an existing backup, a privilege that should have been reserved for administrative users only,” notes the UpdraftPlus development team.

The issue is related to a feature that fails to ensure that a user sending a heartbeat request has administrator permissions. Thus, it allowed an attacker to create a malicious request and retrieve information about the site’s last backup, according to WordPress security and performance firm Jetpack, whose researchers discovered the flaw.

Site backups are securely identified using custom nonces and timestamps, and an attacker who possesses them could gain access to various features of the plugin, according to the researchers.

[READ: Critical Code Execution Flaws Patched in ‘PHP Everywhere’ WordPress Plugin]

Researchers also found that because the plugin failed to properly validate user roles, even accounts with minimal privileges on the site could download backups and access a site database.

Specifically, an attacker could abuse a feature of UpdraftPlus that allows backup URLs to be sent to an email address defined by the site owner and backup file URLs to email addresses. mail controlled by the attacker.

The Wordfence team at WordPress security company Defiant said that for an attack to be successful, the attacker must have an active account on the target system, and that they must also spoof the request to receive the URL via email, in a way that makes it look like they comes from a different endpoint.

“Affected sites are at risk of data loss/theft via the attacker accessing a backup copy of your site, if your site contains anything non-public,” the UpdraftPlus team says.

The team also explains that, at this time, no proof-of-concept (PoC) exploit code targeting the bug is publicly available, but warned that hackers could quickly reverse engineer the patch.

UpdraftPlus version 1.22.3, which fixes the vulnerability, was released a day after the issue was reported to developers. Forced automatic updates have been pushed due to the severity of the flaw and the majority of plugin installs have already been updated to a patched version.

Related: Remote Code Execution Flaws Fixed in WordPress Download Manager Plugin

Related: Actively Mined Zero-Day Found in Popular WordPress Ecommerce Plugin

Related: Vulnerability That Allows Full WordPress Site Takeover Exploited in the Wild

Ionut Argire is an international correspondent for SecurityWeek.

Previous columns by Ionut Arghire:
Key words:

Esther L. Gunn