On February 17, 2022, UpdraftPlus, a WordPress plugin with over 3 million installations, released an update with a security fix for a vulnerability discovered by researcher Marc Montpas. This vulnerability allows any logged-in user to download backups made with UpdraftPlus. The UpdraftPlus plugin is popular among our customers and users worldwide because it is free and easy to use. Backups often contain sensitive information such as files that can be used to access the site database, making this vulnerability significantly harmful.
Here’s What You Need To Know About The UpdraftPlus Vulnerability
The vulnerability allowed any user logged in to UpdraftPlus permissions to download an existing backup, a privilege that should have been restricted to administrative users only. If you have any existing backup with UpdraftPlus, you are potentially vulnerable to a technically skilled user exploiting your backup.
Although it would take a technically skilled user to figure out how to download other users’ backups, the consequences would be severe. Affected sites are at risk of data loss and data theft. Suppose the attacker accesses a copy of your site’s backup. In that case, they may obtain leaked passwords and personally identifiable information (PII) and, in some cases, database credentials to conduct a site takeover.
How to Mitigate the UpdraftPlus Vulnerability
The recent security release of UpdraftPlus includes version 1.22.3 (free version) and 2.22.3 (paid versions). If you have not already done so, please ensure your site is running the most up-to-date version of the plugin.
Paying customers of UpdraftPlus are additionally protected from any exploits targeting this vulnerability by a firewall rule. Free users will not receive this protection until March 19, 2022, which is why we employ you to update as soon as possible.
We’ve partnered with Google to let you try Google Workspace free for 1 month. Get Gmail, Docs, Drive, Calendar, Meet and more.