Millions of WordPress Sites Got a Forced Update to Fix a Serious Bug

Millions of WordPress sites have received a forced update over the past day to fix a critical vulnerability in a plugin called UpdraftPlus.

The mandatory patch came at the request of UpdraftPlus developers because of the severity of the vulnerability, which allows untrusted subscribers, customers, and others to download the site’s private database as long as they have an account on the vulnerable site. Databases frequently include sensitive information about customers or the site’s security settings, leaving millions of sites susceptible to serious data breaches that spill passwords, user names, IP addresses, and more.

Bad Outcomes, Easy to Exploit

UpdraftPlus simplifies the process of backing up and restoring website databases and is the internet’s most widely used scheduled backup plugin for the WordPress content management system. It streamlines data backup to Dropbox, Google Drive, Amazon S3, and other cloud services. Its developers say it also allows users to schedule regular backups and is faster and uses fewer server resources than competing WordPress plugins.

“This bug is pretty easy to exploit, with some very bad outcomes if it does get exploited,” said Marc Montpas, the security researcher who discovered the vulnerability and privately reported it to the plugin developers. “It made it possible for low-privilege users to download a site’s backups, which include raw database backups. Low-privilege accounts could mean a lot of things. Regular subscribers, customers (on ecommerce sites, for example), etc.”

hop over to this site
i was reading this
click here to read
read here
i loved this
my blog
click now
you can try these out
informative post
top article
useful site
click this over here now
moved here
about his
navigate to this site
click this
click here for more info
investigate this site
more helpful hints
over at this website
go to the website
try this site
look at more info
look what i found
Full Report
Extra resources
get more
like it
click here for more
find out here now
this hyperlink
site here
discover here
click here for info
try this website
look at here
Visit Your URL
see this website
visit this page
Click Here
check this

Montpas, a researcher at website security firm Jet, said he found the vulnerability during a security audit of the plugin and provided details to UpdraftPlus developers on Tuesday. A day later, the developers published a fix and agreed to force-install it on WordPress sites that had the plugin installed.

Stats provided by show that 1.7 million sites received the update on Thursday, and more than 287,000 more had installed it as of press time. WordPress says the plugin has 3+ million users.

In disclosing the vulnerability on Thursday, UpdraftPlus wrote:

This defect allows any logged-in user on a WordPress installation with UpdraftPlus active to exercise the privilege of downloading an existing backup, a privilege which should have been restricted to administrative users only. This was possible because of a missing permissions check on code related to checking current backup status. This allowed the obtaining of an internal identifier which was otherwise unknown and could then be used to pass a check upon permission to download.

This means that if your WordPress site allows untrusted users to have a WordPress login, and if you have any existing backup, then you are potentially vulnerable to a technically skilled user working out how to download the existing backup. Affected sites are at risk of data loss / data theft via the attacker accessing a copy of your site’s backup, if your site contains anything non-public. I say “technically skilled” because at that point, no public proof of how to leverage this exploit has been made. At this point in time, it relies upon a hacker reverse-engineering the changes in the latest UpdraftPlus release to work it out. However, you should certainly not rely upon this taking long but should update immediately. If you are the only user on your WordPress site, or if all your users are trusted, then you are not vulnerable, but we still recommend updating in any case.

Hackers Listen to the Heartbeats

In his own disclosure, Montpas said the vulnerability stemmed from several flaws. The first was in the UpdraftPlus implementation of the WordPress heartbeat function. UpdraftPlus didn’t properly validate that users who sent requests had administrative privileges. That represented a serious problem because the function fetches a list of all active backup jobs and the date of the site’s latest backup. Included in that data is the custom nonce that the plugin used to secure backups.

“An attacker could thus craft a malicious request targeting this heartbeat callback to get access to information about the site’s latest backup to date, which will, among other things, contain a backup’s nonce,” Montpas wrote.


Leave a Comment

Your email address will not be published.