UpdraftPlus, a plugin that allows users to backup to various cloud providers, has patched a severe security vulnerability that would allow logged-in users to download a site’s latest backups. The patched version (1.22.3) was sent out via a forced auto-update, a measure reserved for severe vulnerabilities that affect a large number of users. UpdraftPlus is active on more than 3 million WordPress sites.
The vulnerability was discovered by Jetpack Scan Security researcher Marc Montpas during an internal audit. UpdraftPlus explained the vulnerability to users in an advisory after the update went out:
This defect allows any logged-in user on a WordPress installation with UpdraftPlus active to exercise the privilege of downloading an existing backup, a privilege which should have been restricted to administrative users only. This was possible because of a missing permissions check on code related to checking current backup status. This allowed the obtaining of an internal identifier which was otherwise unknown, and could then be used to pass a check upon permission to download.
The issue affects both the paid and free versions of the plugin. A fix was pushed to paid customers within an hour of receiving the report. Every version of the free plugin between 1.16.7 and 1.22.3 is vulnerable. UpdraftPlus claims the majority of sites have been updated. WordPress.org stats show that ~35% of Updraft users have not updated to the latest, which leaves more than a million installations still vulnerable.
So far there are no confirmed reports of exploits. For more details on the vulnerability, check out Montpas’ report on the Jetpack website. UpdraftPlus users are encouraged to check their websites to ensure the plugin is running on the latest, patched version.