Security experts are urging users of a popular WordPress plugin to update immediately after a bug was found that could allow attackers to steal sensitive data and potentially even hijack vulnerable sites.
UpDraft Plus describes itself as “the world’s most trusted WordPress backup.”
This makes it a “treasure trove” of valuable data, including configuration files that could be used to access websites’ backend databases and their contents, warned security vendor Wordfence.
Unfortunately, the new vulnerability (CVE-2022-0633) could allow any logged-in user, including subscriber-level users, to download backups made with the plugin.
“One of the features that the plugin implemented was the ability to send backup download links to an email of the site owner’s choice,” the firm explained. “Unfortunately, this functionality was insecurely implemented making it possible for low-level authenticated users like subscribers to craft a valid link that would allow them to download backup files.”
Threat actors would need an active account on a victim’s system to exploit the vulnerability, meaning it would be largely confined to highly targeted attacks. However, a CVSS score of 8.5 is rated high severity.
“The consequences of a successful targeted attack are likely to be severe, as they could include leaked passwords and PII, and in some cases site takeover if the attacker is able to obtain database credentials from a configuration file and successfully access the site database,” said Wordfence.
All UpDraft Plus users are urged to upgrade to version 1.22.3, fixing the bug.
“WordPress represents one of the largest backends of websites on the internet. The security problems in WordPress come from its vast ecosystem of plugins that run the gamut from capable developers to hobbyists,” explained Netenrich principal threat hunter, John Bambenek.
“Access to the backups and database will likely first be used for credential theft but there are many possibilities for attackers to take advantage of the information. It’s a good and proactive move for WordPress to have its own threat intel team that is working vulnerabilities in third-party plugins.”