Warning! WordPress Plugin Vulnerability Threatens Millions of Pages
It's that time of the month again, when yet another WordPress plugin vulnerability pops up, almost like clockwork. This time, the vulnerability concerns the plugin named UpdraftPlus, which is installed in roughly 3 million websites running the publishing platform.
Privileged Access to Backups
The issue was discovered by security researcher Marc Montpas and was later examined in a detailed post by Wordfence - a team specializing in WordPress security. The flaw in UpdraftPlus was codified under the handle CVE 2022-0633 and received a severity rating of 8.5 or High.
The vulnerability allowed any active and successfully logged-in user on any WordPress website that runs UpdraftPlus to download existing site backups - something that should only be possible with elevated privileges, such as those possessed by administrators.
The ability to just grab the entire backup data can lead to all sorts of issues down the road, ranging from credential theft to accessing sensitive and privileged information.
Wordfence explained that if a potential bad actor would send a specifically tailored heartbeat to the site, they would then get access to a "backup log containing a backup nonce and timestamp". All three of those together can be used to download the website's backup in bulk.
Popular Plugins Offer Large Attack Surface
The vulnerability isn't nearly as horrible as it seems, because if this action is carried out by an external bad actor, the hacker would still need to have regular access to the WordPress platform instance for the site. However, it would be enough to have a set of compromised login credentials to do it. Researchers believe this is offset by the fact that UpdraftPlus is very popular and is installed on about 3 million websites.
In January 2022 alone there were several high-severity bugs discovered in WordPress plugins, including one with a severity rating of 10. The issue with plugin flaws is that many of the affected plugins are very widely adopted, similar to UpdraftPlus, which leads to a very big potential attack surface accessible to potential threat actors.