UpdraftPlus, a WordPress plugin with over three million downloads, has been patched to address a “serious” security flaw that can be used to extract the web’s private information using an account on the affected sites.
“From March 2019 onwards, all versions of UpdraftPlus have contained a vulnerability caused by a missing permissions-level check, enabling untrusted users access to backups,” the plugin’s developers wrote in a statement published last week.
On February 14, Automattic security researcher Marc-Alexandre Montpas was credited with discovering and publishing the bug, which has been assigned the identifier CVE-2022–0633 (CVSS score: 8.5). UpdraftPlus versions 1.16.7 through 1.22.2 are affected by the problem.
UpdraftPlus is a backup and restoration solution for WordPress files, databases, plugins, and themes that can be restored via the WordPress admin panel. This flaw has the unintended result of allowing any logged-in user on a WordPress installation with UpdraftPlus installed to download an existing backup — permissions that should have been restricted for administrator users only.
It could also result in “in certain situations site takeover if the attacker is able to gain database credentials from a configuration file and successfully access the site database,” according to WordPress security firm Wordfence.
To avoid any potential exploitation, users of the UpdraftPlus plugin should update to version 1.22.3 (or 2.22.3 for the Premium version). As of February 17, the most recent version is 1.22.4, which fixes issues with printing auto-backup settings on PHP 8.