FOR YOUR OWN GOOD —
UpdraftPlus vulnerability allows untrusted visitors to download a full database backup.
Getty Images
Millions of WordPress sites have received a forced update over the past day to fix a critical vulnerability in a plugin called UpdraftPlus.
The mandatory patch came at the request of UpdraftPlus developers because of the severity of the vulnerability, which allows untrusted subscribers, customers, and others to download the site’s private database as long as they have an account on the vulnerable site. Databases frequently include sensitive information about customers or the site’s security settings, leaving millions of sites susceptible to serious data breaches that spill passwords, user names, IP addresses, and more.
Bad outcomes, easy to exploit
UpdraftPlus simplifies the process of backing up and restoring website databases and is the Internet’s most widely used scheduled backup plugin for the WordPress content management system. It streamlines data backup to Dropbox, Google Drive, Amazon S3, and other cloud services. Its developers say it also allows users to schedule regular backups and is faster and uses fewer server resources than competing WordPress plugins.
“This bug is pretty easy to exploit, with some very bad outcomes if it does get exploited,” said Marc Montpas, the security researcher who discovered the vulnerability and privately reported it to the plugin developers. “It made it possible for low-privilege users to download a site’s backups, which include raw database backups. Low-privilege accounts could mean a lot of things. Regular subscribers, customers (on e-commerce sites, for example), etc.”
Montpas, a researcher at website security firm Jetpack, said he found the vulnerability during a security audit of the plugin and provided details to UpdraftPlus developers on Tuesday. A day later, the developers published a fix and agreed to force-install it on WordPress sites that had the plugin installed.
Stats provided by WordPress.org show that 1.7 million sites received the update on Thursday, and more than an additional 287,000 had installed it as of press time. WordPress says the plugin has 3+ million users.
In disclosing the vulnerability on Thursday, UpdraftPlus wrote:
This defect allows any logged-in user on a WordPress installation with UpdraftPlus active to exercise the privilege of downloading an existing backup, a privilege which should have been restricted to administrative users only. This was possible because of a missing permissions check on code related to checking current backup status. This allowed the obtaining of an internal identifier which was otherwise unknown and could then be used to pass a check upon permission to download.
This means that if your WordPress site allows untrusted users to have a WordPress login, and if you have any existing backup, then you are potentially vulnerable to a technically skilled user working out how to download the existing backup. Affected sites are at risk of data loss / data theft via the attacker accessing a copy of your site’s backup, if your site contains anything non-public. I say “technically skilled” because at that point, no public proof of how to leverage this exploit has been made. At this point in time, it relies upon a hacker reverse-engineering the changes in the latest UpdraftPlus release to work it out. However, you should certainly not rely upon this taking long but should update immediately. If you are the only user on your WordPress site, or if all your users are trusted, then you are not vulnerable, but we still recommend updating in any case.
Note: This article have been indexed to our site. We do not claim legitimacy, ownership or copyright of any of the content above. To see the article at original source Click Here
Alpha Grillers Instant Read Meat Thermometer for Cooking Grilling and Griddle Accessories Kitchen Essentials - Waterproof Backlight & Calibration, Birthday Mens Gifts Valentines Day Gifts for Him
$13.05 (as of February 6, 2025 20:03 GMT +00:00 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)
Filtrete 20x20x1 AC Furnace Air Filter, MERV 5, MPR 300, Capture Unwanted Particles, 3-Month Pleated 1-Inch Electrostatic Air Cleaning Filter, 6-Pack (Actual Size19.69x19.69x0.81 in)
$33.84 (as of February 6, 2025 20:03 GMT +00:00 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)
Massive Beads Multicolor Tiger's Eye - Vitality and Abundance - Handmade Handmade Yoga Stretch Elastic Bracelet Natural Stone Crystal Healing Power Energy Gifts for Unisex Adult 4mm
$6.99 (as of February 5, 2025 19:31 GMT +00:00 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)
The Day I Found My Missing Piece Light Frame Custom Photo Frame with Night Light Personalized Acrylic Plaque Photo Frame Gift for Girlfriend Couple Valentine Anniversary (Frame)
$21.99 (as of February 6, 2025 19:27 GMT +00:00 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)
/cdn.vox-cdn.com/uploads/chorus_asset/file/25380897/image__14_.png)
