Millions of WordPress sites have received a forced patch in the last few days, Ars Technica reported. The reason is a vulnerability in UpdraftPlus, a popular plugin that allows users to create and restore website backups. UpdraftPlus developers requested the mandatory patch as the vulnerability would allow anyone with an account to download a website’s entire database.
The bug was discovered by Jetpack security researcher Marc Montpas during a security audit of the plugin. “This bug is very easy to exploit, with some very bad results if exploited,” he said. Ars Technica. “This made it possible for low-privilege users to download backups from a website, which include raw database backups.”
He told UpdraftPlus developers about the bug on Tuesday of last week, they fixed it a day later and started force-installing the patch shortly after that. 1.7 million sites had received it as of Thursday, from more than 3 million users.
The main flaw was that UpdraftPlus did not correctly implement the WordPress “hearbeat” function by correctly verifying that users had administrative privileges. Another issue was a variable used to validate administrators that could be modified by untrusted users. a hack can work on a blog post.
WordPress was previously breached earlier this year, but it was done indirectly through a GoDaddy hack that exposed 1.2 million accounts. If you are running WordPress with the UpdraftPlus plugin, you should definitely confirm that the plugin is automatically updated to 1.22.4 or later in the free version, or 2.22.4 and above in the premium app.
All products recommended by Ploonge are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.