Automattic, the company behind WordPress discovered a severe vulnerability in UpdraftPlus, a popular WordPress backup plugin. A recent update by the UpdraftPlus plugin authors caused this security error allowing any user to access and download the Backups. In simple words, the updated version could not validate the roles of users properly.
What is the Effect:
This vulnerability allows the hacker to steal all sensitive data like user names and passwords. Any user irrespective of his role can download backups made with the plugin. As these backups contain all the information including configurations and passwords, it is significantly more exploitable than expected. This vulnerability (CVE-2022-0633) ranked as high-severity rating with a CVSS score of 8.5.
What is UpdraftPlus?
UpdraftPlus is one of the most popular WordPress backup plugins. There are more than three million active installations of this plugin. This plugin helps administrators to backup the whole website and restore back in various situations. with this plugin, backup files can be sent to any email of the admin choice.
Present Status:
Plugin versions before 1.22.3 and premium versions before 2.22.3 are likely to affect.
As a rare case, WordPress did a force update of the UpdraftPlus plugin on all sites keeping the severity of the risk.
What to Do?
If you installed the UpdraftPlus plugin on your WordPress website:
- you need to check the website immediately and make sure the plugin is updated to the latest version(1.22.3 or higher).
- Check the user’s data, verify any suspicious user registrations
- update all the themes and plugins to the latest versions
- Update WordPress software to the latest version
- Enable auto-updates for all plugins and themes