Every week, we see a new vulnerability impacting millions of WordPress websites. This week isn’t an exception. Now a vulnerability in the popular backup plugin UpdraftPlus has been uncovered impacting over 3 million WordPress websites. The vulnerability affects UpdraftPlus versions 1.16.7 to 1.22.2. Developers of the plugin have already issued the update to fix the vulnerability.
If you also use the UpdraftPlus plugin, update it to the latest version as soon as possible.
UpdraftPlus plugin makes it really easy to backup and restore the WordPress website. It also offers scheduled backup and auto-download options.
The vulnerability tracked as CVE-2022-0633 lets any low-level authenticated user craft a valid link to download the backup of the website including the raw database. The vulnerability is also easy to exploit.
Also see: WordPress Courses & Tutorials
Montpas, the researcher at Jetpack, found the vulnerability and reported it to UpdraftPlus developers. A day after receiving the information, developers released the update and agreed to force-install it on WordPress sites that were already using the plugin.
This is also one of the rare cases where WordPress forces auto-updates on all the websites. It is because this vulnerability is easy to exploit and gives attackers access to full website backup.
This vulnerability doesn’t impact websites that don’t support user logins or don’t hold any backups.