Updates have been released for UpdraftPlus, a WordPress plugin with over 3 million installations, after a vulnerability was discovered by Jetpack security researcher Marc Montpas.
Montpas said the issue was discovered during an internal audit of the UpdraftPlus plugin. The Jetpack team “uncovered an arbitrary backup download vulnerability that could allow low-privileged users like subscribers to download a site’s latest backups.”
He explained that if exploited, the vulnerability could grant attackers access to privileged information from the affected site’s database like usernames and hashed passwords.
“We reported the vulnerability to the plugin’s authors, and they recently released version 1.22.3 to address it. Forced auto-updates have also been pushed due to the severity of this issue,” Montpas said.
UpdraftPlus lead developer David Anderson said they received a security defect report from Montpas on February 15.
“This defect allows any logged-in user on a WordPress installation with UpdraftPlus active to exercise the privilege of downloading an existing backup, a privilege which should have been restricted to administrative users only. This was possible because of a missing permissions check on code related to checking current backup status,” Anderson noted.
“This allowed the obtaining of an internal identifier which was otherwise unknown, and could then be used to pass a check upon permission to download.”
In a blog post, the Wordfence Threat Intelligence team explained that backups are a treasure trove of sensitive information, and frequently include configuration files that can be used to access the site database as well as the contents of the database itself, the WordPress security company explained.
The researchers examined the patch and were able to create a proof of concept. In an original version of the blog, Wordfence said the attacker would need to begin their attack when a backup was in progress, and would need to guess the appropriate timestamp to download a backup.
But it was later updated to say Wordfence found that it is possible to obtain a full log containing a backup nonce and timestamp at any time, “making this vulnerability significantly more exploitable.”
UpdraftPlus patched the vulnerability on Thursday in version 1.22.3 and they urged users to check their website to make sure they were running the latest version.
“UpdraftPlus is a popular back-up plugin for WordPress sites and as such it is expected that the plugin would allow you to download your backups. One of the features that the plugin implemented was the ability to send back-up download links to an email of the site owner’s choice. Unfortunately, this functionality was insecurely implemented making it possible for low-level authenticated users like subscribers to craft a valid link that would allow them to download backup files,” Wordfence explained.
“The attack starts with the WordPress heartbeat function. The attacker needs to send a specially crafted heartbeat request containing a data[updraftplus] parameter. By supplying the appropriate subparameters, an attacker is able to obtain a backup log containing a backup nonce and timestamp which they can then use to download a backup.”
The company said the issue revolves around the UpdraftPlus_Options::admin_page() === $pagenow check. Attackers can fool the $pagenow check into thinking that the request is to options-general.php, while WordPress still sees the request as being to an allowed endpoint of admin-post.php, according to Wordfence.
Wordfence added that in order to exploit the vulnerability, the hacker would need an active account on the target system.
“As such it is likely only to be used in targeted attacks. The consequences of a successful targeted attack are likely to be severe, as they could include leaked passwords and PII, and in some cases site takeover if the attacker is able to obtain database credentials from a configuration file and successfully access the site database,” Wordfence said.
“As such we urge all users running the UpdraftPlus plugin to update to the latest version of the plugin, which is version 1.22.3 as of this writing, as soon as possible, if you have not already done so, since the consequences of a successful exploit would be severe.”
Netenrich’s John Bambenek told ZDNet that WordPress represents one of the largest backends of websites on the Internet and the security problems come from its vast ecosystem of plugins that run the gamut from capable developers to hobbyists.
“Access to the backups and database will likely first be used for credential theft but there are many possibilities for attackers to take advantage of the information,” Bambenek said.
Vulcan Cyber engineer Mike Parkin suggested creating a firewall rule to mitigate this vulnerability until the patch is applied