A security researcher at Automattic discovered a vulnerability affecting the popular WordPress backup plugin, UpdraftPlus. The vulnerability allowed hackers to download user names and hashed passwords. Automattic calls it a “severe vulnerability.”
UpdraftPlus WordPress Backup Plugin
UpdraftPlus is a popular WordPress backup plugin that’s actively installed in over 3 million websites.
The plugin allows WordPress administrators to backup their WordPress installations, including the entire database which contains user credentials, passwords, and other sensitive information.
Publishers rely on UpdraftPlus to adhere to the highest standards of security in their plugin because of how sensitive the data is that’s backed up with the plugin.
UpdraftPlus Vulnerability
The vulnerability was discovered by an audit conducted by a security researcher at Automattic’s Jetpack.
They discovered two previously unknown vulnerabilities.
The first was related to how UpdraftPlus security tokens called, nonces, could be leaked. This allowed an attacker to obtain the backup, including the nonce.
Read 20 of The Best Penetration Testing Tools to Get Ahead of Cyber Attacks in 2022.
According to WordPress, nonces are not supposed to be the main line of defense against hackers. It explicitly states that functions should be protected by properly validating who has the proper credentials (by using the function called current_user_can()).
WordPress explains:
“Nonces should never be relied on for authentication, authorization, or access control. Protect your functions using current_user_can(), and always assume nonces can be compromised.”
The second flaw was linked to incorrect validation of a registered user’s role, which is exactly what WordPress recommends developers do to secure plugins.
Someone with the data from the previous vulnerability could download any of the backups, which of course contained sensitive information, due to improper user role validation.
Jetpack describes it:
“Unfortunately, the UpdraftPlus_Admin::maybe_download_backup_from_email method, which is hooked to admin_init didn’t directly validate users’ roles either.
While it did apply some checks indirectly, such as checking the $pagenow global variable, past research has shown that this variable can contain arbitrary user input.
Bad actors could use this endpoint to download file & database backups based on the information they leaked from the aforementioned heartbeat bug.”
The United States Government National Vulnerability database warns that UpdraftPlus didn’t “…properly validate a user has the required privileges to access a backup’s nonce identifier, which may allow any users with an account on the site (such as subscriber) to download the most recent site & database backup.”
UpdraftPlus Updates Forced by WordPress
Because the flaw was so serious, WordPress took the unusual step of forcing automatic updates on all installations that hadn’t yet updated UpdraftPlus to the most recent version.
However, it is recommended that publishers assume that their installation has been updated.
UpdraftPlus Versions Affected
The attack is vulnerable in UpdraftPlus free versions prior to 1.22.3 and UpdraftPlus premium versions prior to 2.22.3.
It’s recommended that publishers make sure they’re running the most recent version of UpdraftPlus.
Learn more from WordPress and read WordPress Template Plugin Vulnerability Affects Over One Million Websites.
One Comment