Hacking

UpdraftPlus WordPress plugin update forced for million sites

WordPress forces the update of the UpdraftPlus plugin patch on 3 million sites to fix a high-severity vulnerability.

WordPress has forced the update of the UpdraftPlus plugin around three million sites to address a high-severity vulnerability, tracked as CVE-2022-0633 (CVSS v3.1 score of 8.5) that can allow website subscribers to download the latest database backups, which could potentially contain sensitive data.

“The UpdraftPlus WordPress plugin Free before 1.22.3 and Premium before 2.22.3 do not properly validate a user has the required privileges to access a backup’s nonce identifier, which may allow any users with an account on the site (such as subscriber) to download the most recent site & database backup.” reads the advisory for this issue.

The flaw was discovered Marc Montpas during an internal audit of the plugin.

“The plugin uses custom “nonces” and timestamps to securely identify backups. Given the knowledge of said nonce and timestamp can give someone access to quite a few of the plugin’s features, making sure this info is only accessible to those who legitimately need it is crucial.” reported the analysis. “Unfortunately, as we’ll demonstrate, it wasn’t the case.”

The issue impacts versions 1.16.7 to 1.22.2 of the plugin, the development team addressed it with the release of 1.22.3 or 2.22.3 for the (paid) Premium version.

The plugin allows users to easily perform manual or scheduled backups, it allows to restore backups directly from the WordPress control panel.The issue is an improper user validation bug that can allow low-level authenticated users to craft a valid link that would allow them to download the files.

The attack chain starts by sending a heartbeat request containing a data parameter to obtain information about the site’s latest backup to date.

“An attacker could thus craft a malicious request targeting this heartbeat callback to get access to information about the site’s latest backup to date, which will among other things contain a backup’s nonce.” continues the report.

This info could allow attackers to receive the backup via mail by manipulating the request.

“Unfortunately, the UpdraftPlus_Admin::maybe_download_backup_from_email method, which is hooked to admin_init didn’t directly validate users’ roles either.” continues the analysis. “While it did apply some checks indirectly, such as checking the $pagenow global variable, past research has shown that this variable can contain arbitrary user input. Bad actors could use this endpoint to download file & database backups based on the information they leaked from the aforementioned heartbeat bug.”

Below is the timeline for this flaw:

2022-02-14 – Initial contact with UpdraftPlus
2022-02-15 – We send them details about this vulnerability
2022-02-16 – UpdraftPlus 1.22.3 is released, forced auto-updates launched

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, WordPress)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Meta plans to train AI on EU user data from May 27 without consent

Meta plans to train AI on EU user data from May 27 without consent; privacy…

4 hours ago

AI in the Cloud: The Rising Tide of Security and Privacy Risks

Over half of firms adopted AI in 2024, but cloud tools like Azure OpenAI raise…

6 hours ago

Google fixed a Chrome vulnerability that could lead to full account takeover

Google released emergency security updates to fix a Chrome vulnerability that could lead to full…

6 hours ago

Nova Scotia Power discloses data breach after March security incident

Nova Scotia Power confirmed a data breach involving the theft of sensitive customer data after…

17 hours ago

Coinbase disclosed a data breach after an extortion attempt

Coinbase confirmed rogue contractors stole customer data and demanded a $20M ransom in a breach…

20 hours ago

U.S. CISA adds a Fortinet flaw to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Fortinet vulnerability to its Known Exploited Vulnerabilities…

1 day ago