Security researchers at Automattic have discovered a vulnerability affecting the popular WordPress backup plugin UpdraftPlus. The vulnerability allows hackers to download usernames and hashed passwords. Automattic called it a “critical vulnerability.”
UpdraftPlus WordPress Backup Plugin
UpdraftPlus is a popular WordPress backup plugin that is actively installed on over 3 million websites.
The plugin allows WordPress administrators to backup their WordPress installation, including the entire database containing user credentials, passwords, and other sensitive information.
Publishers rely on UpdraftPlus to adhere to the highest security standards for their plugins because the data backed up by plugins is very sensitive.
UpdraftPlus Vulnerability
The vulnerability was discovered in an audit conducted by security researchers at Automattic’s Jetpack.
They discovered two previously unknown vulnerabilities.
The first relates to how UpdraftPlus security tokens (called nonces) were leaked. This allows an attacker to obtain backups, including random numbers.
According to WordPress, nonce should not be the main line of defense against hackers. It explicitly states that functions should be secured by properly verifying who has the correct credentials (by using a function called current_user_can().
“Never rely on nonces for authentication, authorization, or access control. Use current_user_can() to protect your functions, and always assume nonce will be compromised.”
The second vulnerability is related to incorrect validation of registered user roles, which is why WordPress warns developers that they should take steps to lock down plugins.
Improper user role validation allows anyone with previous vulnerability data to download any backup, which of course contains sensitive information.
Jetpack describes this:
“Unfortunately, the UpdraftPlus_Admin::maybe_download_backup_from_email method hooked to admin_init also does not directly authenticate the user’s role.
While it does apply some checks indirectly, such as checking the $pagenow global variable, past research has shown that this variable can contain arbitrary user input.
Bad actors could use this endpoint to download files and database backups based on the information they leaked from the aforementioned Heartbeat vulnerability. “
U.S. Government’s most recent site and database backups. “
WordPress Forces Update UpdraftPlus
The vulnerability is so severe that WordPress takes the extraordinary step of forcing an automatic update on all installations that have not updated UpdraftPlus to the latest version.
But publishers are advised to take their installations for granted.
Affected UpdraftPlus Versions
UpdraftPlus free versions prior to 1.22.3 and UpdraftPlus premium versions prior to 2.22.3 are vulnerable.
Publishers are advised to check that they are using the latest version of UpdraftPlus.
Citation
Read the Jetpack announcement
Critical bug fixed in UpdraftPlus 1.22.3
Read the UpdraftPlus announcement
UpdraftPlus Security Version – 1.22.3 / 2.22.3 – Please upgrade
