The WordPress developers have taken the rare step of forcibly updating the UpdraftPlus plugin on all sites where it is installed. This was due to a serious vulnerability that allowed even low-privileged users to download the latest database backups, which often contain credentials and other personal information.
Vulnerability that received an identifier CVE-2022-0633 (8.5 points on the CVSS scale), affects the UpdraftPlus plugin from version 1.16.7 to 1.22.2. The developers have already fixed the bug in versions 1.22.3 and 2.22.3 (Premium).
A bug in the plug-in, installed more than three million times in total, was discovered by information security researcher Mark Monpas. In theory, UpdraftPlus helps administrators simplify the process of backup and restore through the function of scheduled backups, as well as automatically sending backups to the email address of the site operator.
As it is now tell Wordfence Threat Intelligence experts, the vulnerability allowed any logged-in user (including users with low subscriber-level privileges) to download backups made using the plugin. The root of the problem was incorrect checking of users, as well as whether they had the necessary privileges that are needed to access the nonce-id of the backup and timestamps.
Of course, such backups are a real treasure trove of confidential data, because they usually contain configuration files that can be used to access the site database and its contents.
The vulnerability was discovered on February 14, 2022, which was immediately notified to the UpdraftPlus developers. Since the patch was released almost immediately, already on February 16, 2022, after assessing the potential damage from attacks on this vulnerability, WordPress began to forcefully update all plugin installations to version 1.22.3. According to official statistics WordPress, 783,000 plugin installs were updated on the 16th, and another 1.7 million on the 17th.