San Francisco, NFAPost: A vulnerability was discovered for UpdraftPlus, a WordPress plugin with over 3 million installations. If exploited, the vulnerability could grant attackers access to privileged information from the affected site’s database like usernames and hashed passwords.
The issue was discovered during an internal audit of the UpdraftPlus plugin. A team of researchers uncovered an arbitrary backup download vulnerability that could allow low-privileged users like subscribers to download a site’s latest backups.
Two previously unknown vulnerabilities were discovered. The first was related to how UpdraftPlus security tokens called, nonces, could be leaked. This allowed an attacker to obtain the backup, including the nonce.
The second vulnerability was tied to an improper validation of a registered user’s role, precisely what WordPress warns that developers should take steps to lock down plugins. The improper user role validation allowed someone with the data from the previous vulnerability to download any of the backups, which of course contains sensitive information.
Updraftplus allows WordPress administrators to back up their WordPress installations, including the entire database which contains user credentials, passwords and other sensitive information. Publishers rely on UpdraftPlus to adhere to the highest standards of security in their plugin because of how sensitive the data is that’s backed up with the plugin.
The Wordfence Threat Intelligence team said, “The attack starts with the WordPress heartbeat function. The attacker needs to send a specially crafted heartbeat request containing a data[updraftplus] parameter. By supplying the appropriate sub parameters, an attacker is able to obtain a backup log containing a backup nonce and timestamp which they can then use to download a backup.”
It further urged all users running the UpdraftPlus plugin to update to the latest version of the plugin, which is version 1.22.3 as of this writing, as soon as possible, since the consequences of a successful exploit would be severe.