stats count
Friday, August 12, 2022
Home Technology Millions of WordPress sites get forced update to patch critical plugin flaw

Millions of WordPress sites get forced update to patch critical plugin flaw


Getty Images

Millions of WordPress sites have received a forced update over the past day to fix a critical vulnerability in a plugin called UpdraftPlus.

The mandatory patch came at the request of UpdraftPlus developers because of the severity of the vulnerability, which allows untrusted subscribers, customers, and others to download the site’s private database as long as they have an account on the vulnerable site. Databases frequently include sensitive information about customers or the site’s security settings, leaving millions of sites susceptible to serious data breaches that spill passwords, user names, IP addresses, and more.

Bad outcomes, easy to exploit

UpdraftPlus simplifies the process of backing up and restoring website databases and is the Internet’s most widely used scheduled backup plugin for the WordPress content management system. It streamlines data backup to Dropbox, Google Drive, Amazon S3, and other cloud services. Its developers say it also allows users to schedule regular backups and is faster and uses fewer server resources than competing WordPress plugins.

“This bug is pretty easy to exploit, with some very bad outcomes if it does get exploited,” said Marc Montpas, the security researcher who discovered the vulnerability and privately reported it to the plugin developers. “It made it possible for low-privilege users to download a site’s backups, which include raw database backups. Low-privilege accounts could mean a lot of things. Regular subscribers, customers (on e-commerce sites, for example), etc. ”

Montpas, a researcher at website security firm Jetpack, said he found the vulnerability during a security audit of the plugin and provided details to UpdraftPlus developers on Tuesday. A day later, the developers published a fix and agreed to force-install it on WordPress sites that had the plugin installed.

Stats provided by WordPress.org show that 1.7 million sites received the update on Thursday, and more than an additional 287,000 had installed it as of press time. WordPress says the plugin has 3+ million users.

In disclosing the vulnerability on Thursday, UpdraftPlus wrote:

This defect allows any logged-in user on a WordPress installation with UpdraftPlus active to exercise the privilege of downloading an existing backup, a privilege which should have been restricted to administrative users only. This was possible because of a missing permissions check on code related to checking current backup status. This allowed the obtaining of an internal identifier which was otherwise unknown and could then be used to pass a check upon permission to download.

This means that if your WordPress site allows untrusted users to have a WordPress login, and if you have any existing backup, then you are potentially vulnerable to a technically skilled user working out how to download the existing backup. Affected sites are at risk of data loss / data theft via the attacker accessing a copy of your site’s backup, if your site contains anything non-public. I say “technically skilled” because at that point, no public proof of how to leverage this exploit has been made. At this point in time, it relies upon a hacker reverse-engineering the changes in the latest UpdraftPlus release to work it out. However, you should certainly not rely upon this taking long but should update immediately. If you are the only user on your WordPress site, or if all your users are trusted, then you are not vulnerable, but we still recommend updating in any case.



Source link

RELATED ARTICLES

Game #109: San Diego Padres at Los Angeles Dodgers

San Diego Padres vs. Los Angeles Dodgers, August 5, 2022, 7:10 pm PT Location: Dodger Stadium, Los Angeles, CA TV: Bally Sports...

Observations from day 8 of 49ers training camp; Trey Lance gets it going

Here is what stood out from the 49ers eighth practice during training camp in Santa Clara. Trey Lance Lance had one of his better days...

Can the OnePlus 10T 5G be the flagship Android phone of 2022?

Within less than a few hours, the OnePlus 10T 5G will be officially released on the global market. The launch event...

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Game #109: San Diego Padres at Los Angeles Dodgers

San Diego Padres vs. Los Angeles Dodgers, August 5, 2022, 7:10 pm PT Location: Dodger Stadium, Los Angeles, CA TV: Bally Sports...

Observations from day 8 of 49ers training camp; Trey Lance gets it going

Here is what stood out from the 49ers eighth practice during training camp in Santa Clara. Trey Lance Lance had one of his better days...

Can the OnePlus 10T 5G be the flagship Android phone of 2022?

Within less than a few hours, the OnePlus 10T 5G will be officially released on the global market. The launch event...

Trent Alexander-Arnold: ‘We have to deliver trophies every season – minimum one!’ – Liverpool FC

Trent Alexander-Arnold admits it will be a "massive failure" if Liverpool do not win at least one trophy this season. Jurgen Klopp's side narrowly...

Recent Comments