UpdraftPlus Security Vulnerability Revealed

Is your WordPress website safe? Over 3 million websites compromised due to UpdraftPlus Plugin vulnerability

A severe vulnerability which allows hackers to download usernames and hashed passwords has been identified by security researcher Automattic. The issue has the potential to impact the millions of websites using the popular WordPress backup plugin, UpdraftPlus.

The extremely popular UpdraftPlus is a backup plugin that’s actively installed in over 3 million websites. The plugin allows WordPress administrators to back up websites in case of errors. The backups include sensitive data such as user credentials and passwords – data which is now at risk.

So what happened?

Two previously unidentified vulnerabilities were discovered during a routine audit conducted by security researchers at Automattic.

The first issue relates to how the UpdraftPlus security tokens can be leaked, allowing an attacker to obtain a full website backup. It goes without saying that this is bad news.

According to WordPress, cryptographic nonces – the security tokens utilised by UpdraftPlus – should never be the main line of defence against hackers. Functions should be protected by properly validating whether any given user has the proper credentials. UpdraftPlus fails in this regard.

The second vulnerability is concerning the improper validation of a registered user’s roles. This allows a hacker with the data gained from the previous vulnerability to download all sensitive information contained on the website.

To say this is a huge security concern is an understatement.

What should I do?

If you use UpdraftPlus, you should get in touch with us immediately for a free plugin audit. We can help you to take the necessary steps to secure your website and customers’ sensitive data before a breach occurs.

Plugin audits should be a regular check for any website owner. Remember, all plugins are third party applications and come with an inherent security risk. Whether it’s a vulnerability to hackers, or simply an update which causes an incompatibility that breaks your website, you need to be ready to act. Your business might depend on it.

Contact boxChilli for a free plugin audit today

Citations

Read the Jetpack Announcement

Severe Vulnerability Fixed In UpdraftPlus 1.22.3

Read the UpdraftPlus Announcement

UpdraftPlus security release – 1.22.3 / 2.22.3 – please upgrade

Back to blog list