The UpdraftPlus vulnerability allowed anyone to make database backups, but a patch has been force installed on millions of WordPress sites to fix this issue
WordPress recently launched a forced update to millions of websites to fix a critical vulnerability found in the UpdraftPlus plugin. It allowed attackers to download a complete database backup from an unprotected website.
The patch was rolled out at the request of the Updraft development team that identified the vulnerability permitting untrusted individuals and even customers to download private databases as long as they have an account on the site. These databases contained sensitive customer information, and a data breach could lead to serious legal action for the owners of the websites.
UpdraftPlus worries about the vulnerability
UpdraftPlus is a widely used data backup plugin for most WordPress sites. Its popularity was the ease of scheduling database backups from the content management system. These backups were then stored on their cloud platform. According to the security researcher who discovered the vulnerability, Marc Montpas, this vulnerability is easy to exploit and can have catastrophic results once done.
The defect allowed logged-in users to download a copy of the last database backup. While this should only be authorized to administrative-level accounts, the bug allowed any low-level account to take this action. This vulnerability was found during the last audit of the plugin. Within 24 hours the developers created a patch and agreed to force install it on any WordPress site that had the UpdraftPlus plugin installed.
According to the stats shown, this plugin was installed on 1.7 million WordPress sites on Thursday, with an additional 287,000 the next day. Analytics indicate that over 3 million websites are currently using this plugin.
While UpdraftPlus has done well to roll out a patch within 24 hours, there is still a window of concern regarding any malicious activity happening during that time. For now, there are no incidents that point towards a data breach due to this vulnerability.