UpdraftPlus WordPress Plugin is a popular plugin used for backups and it’s time to patch or else risk-sharing backups with strangers.
UpdraftPlus WordPress Plugin developer has warned users to upgrade to the latest version 1.22.3 of the code. This warning has come up just after Marc Montpas, a security research engineer from Automattic, discovered some serious flaws that may lead to intrusion. Already the business house has promised to release a fix for the same in two days.
UpdraftPlus’ advisory released an advisory saying, “This defect allows any logged-in user on a WordPress installation with UpdraftPlus active to exercise the privilege of downloading an existing backup, a privilege which should have been restricted to administrative users only”
The firm further added, “This was possible because of a missing permissions check on code related to checking current backup status. This allowed the obtaining of an internal identifier which was otherwise unknown, and could then be used to pass a check upon permission to download.”
The attack vector is open only to logged-in users and is relatively complex which means it cannot be used to carry out large-scale attacks. You can read the full breakdown of Montpas here. The attacks are more likely to be selective and target those that haven’t patched.