Security researchers have identified a vulnerability in UpdraftPlus for WordPress, a plugin with over 3 million installations, that lets any user download backups of the targeted websites.
Because WordPress has a huge installation base, it makes it a prime target for attackers and security researchers alike. The good news is that this critical UpdraftPlus vulnerability was found by a security researcher and quickly patched. Attackers could have just as easily discovered the vulnerability and wielded it with malicious intent.
As UpdraftPlus is a plugin that deals with backups and restoration of entire websites, it stands to reason that a vulnerability that would allow someone to download a backup is a highly sensitive problem.
“This defect allows any logged-in user on a WordPress installation with UpdraftPlus active to exercise the privilege of downloading an existing backup, a privilege which should have been restricted to administrative users only,” said the UpdraftPlus developers. “This was possible because of a missing permissions check on code related to checking current backup status,” they added. “This allowed the obtaining of an internal identifier which was otherwise unknown, and could then be used to pass a check upon permission to download.”
For attackers to exploit this vulnerability, they would have to be technically skilled, and no proof of how to leverage this exploit has been made public. Security researcher Marc-Alexandre Montpas of Automattic discovered this issue, and the UpdraftPlus team quickly patched the plugin. The team confirmed that most of the websites have already applied the patch, but with 3 million downloads, it will take a while until everyone is up to speed.