The Wordfence team announced that they have discovered a vulnerability in UpdraftPlus, a popular WordPress backup, restore and clone plugin that has been installed more than 3 million times. The vulnerability was discovered by security researcher Marc Montpas. The team investigated the issue and managed to create a proof of concept and released a firewall rule. The vulnerability is allowing any user who has logged in to download backups created by the plugin.
The backup data can even include database credentials, which can cause site takeovers.
Wordfrence stated that the backups may include sensitive information and include configuration files, allowing an attacker to access the site’s database and the content of the database. The vulnerability, tracked as CVE-2022-0633 was patched in UpdraftPlus version 1.22.3, which is recommended to be applied as soon as possible.
The issue was caused by an insecurely implemented feature, which allows sending backup download links to an email. The vulnerability allows low-privileged users to craft a link that allows them to download the backup file. To be able to exploit the vulnerability, the attacker should send a crafted heartbeat request containing a data[updraftplus] parameter. If the attack is successful, the attacker can even take over the website if the database credentials are also leaked from a configuration file. The Wordfence team urged all UpdraftPlus users to update the plugin to its latest version, which is 1.22.3.