WordPress Plugin Updraftplus Vulnerability affects 3 million sites

The Wordfence team announced that they have discovered a vulnerability in UpdraftPlus, a popular WordPress backup, restore and clone plugin that has been installed more than 3 million times. The vulnerability is allowing any user who has logged in to download backups created by the plugin.

The plugin’s admin_action_upgrade_pluginortheme() method was hooked to WordPress ‘admin_action_’ action, which can potentially be executed when a logged-in user visits a page in /wp-admin/ that includes the /wp-admin/admin.php file and has the ‘action‘ GET parameter set to a specific value.

Doing this would result in the plugin leaking the ‘updraftplus-credentialtest-nonce’ nonce, which was also used at several other places in the code, namely in the plugin’s AJAX handler:

An attacker could do a lot of things like displaying a phpinfo() page including all of the website’s defined constants (which includes WordPress secret keys, database credentials and prefix), executing every hook present in the current context and downloading the site’s backup files.

Wordfence stated that the backups may include sensitive information and include configuration files, allowing an attacker to access the site’s database and the content of the database. The vulnerability, tracked as CVE-2022-0633 was patched in UpdraftPlus version 1.22.3, which is recommended to be applied as soon as possible.

The issue was caused by an insecurely implemented feature, which allows sending backup download links to an email. The vulnerability allows low-privileged users to craft a link that allows them to download the backup file. To be able to exploit the vulnerability, the attacker should send a crafted heartbeat request containing a data parameter. If the attack is successful, the attacker can even take over the website if the database credentials are also leaked from a configuration file. The Wordfence team urged all UpdraftPlus users to update the plugin to its latest version, which is 1.22.3.