Get In Touch:

We are an IT Solutions Company committed to achieving customer satisfaction through excellent customer service.

1st Floor, Right Wing, 29, Dipeolu Street, Off Obafemi Awolowo Way, Ikeja, Lagos, Nigeria.
info@supportlinktech.com
+234 (0) 809 999 9758
SupportLink

Blog

Vulnerability found in WordPress plugin with over 3 million installations

Updates have been released for UpdraftPlus, a WordPress plugin with over 3 million installations after a vulnerability was discovered by Jetpack security researcher Marc Montpas. 

Information gathered has revealed that the Jetpack team “uncovered an arbitrary backup download vulnerability that could allow low-privileged users like subscribers to download a site’s latest backups.” This was discovered after an internal audit of the UpdraftPlus plugin.

It was disclosed that this security threat can grant attackers access to privileged information from the affected site’s database like usernames and hashed passwords. 

“We reported the vulnerability to the plugin’s authors, and they recently released version 1.22.3 to address it. Forced auto-updates have also been pushed due to the severity of this issue,” Montpas said. 

UpdraftPlus lead developer David Anderson said they received a security defect report from Montpas on February 15. 

“This defect allows any logged-in user on a WordPress installation with UpdraftPlus active to exercise the privilege of downloading an existing backup, a privilege which should have been restricted to administrative users only. This was possible because of a missing permissions check on code related to checking current backup status,” Anderson noted.

“This allowed the obtaining of an internal identifier which was otherwise unknown, and could then be used to pass a check upon permission to download.”

But it was later updated to say Wordfence found that it is possible to obtain a full log containing a backup nonce and timestamp at any time, “making this vulnerability significantly more exploitable.”

UpdraftPlus patched the vulnerability on Thursday in version 1.22.3 and they urged users to check their website to make sure they were running the latest version. 

Comments (2)

Patriciat
June 18, 2024
Reply

This article offers a fascinating perspective on the subject. The depth of research and clarity in presentation make it a valuable read for anyone interested in this topic. It’s refreshing to see such well-articulated insights that not only inform but also provoke thoughtful discussion. I particularly appreciated the way the author connected various aspects to provide a comprehensive understanding. It’s clear that a lot of effort went into compiling this piece, and it certainly pays off. Looking forward to reading more from this author and hearing other readers’ thoughts. Keep up the excellent work!

Shadow Huntert
June 21, 2024
Reply

Fantastic article! I appreciate how clearly you explained the topic. Your insights are both informative and thought-provoking. I’m curious about your thoughts on the future implications of this. How do you see this evolving over time? Looking forward to more discussions and perspectives from others. Thanks for sharing!

Leave a Comment

Your email address will not be published. Required fields are marked *