A security researcher at Automattic discovered a vulnerability affecting the popular WordPress backup plugin, UpdraftPlus. This flaw allowed hackers to download usernames and hashed passwords. Automattic has labeled it a “severe vulnerability.”
UpdraftPlus WordPress Backup Plugin
UpdraftPlus is a widely used WordPress backup plugin installed on over 3 million websites.
The plugin enables WordPress administrators to back up their WordPress installations, including the entire database, which contains user credentials, passwords, and other sensitive information.
Publishers count on UpdraftPlus to maintain the highest security standards in its plugin due to the sensitive nature of the data being backed up.
UpdraftPlus Vulnerability
The vulnerability was identified during an audit conducted by a security researcher at Automattic’s Jetpack.
They found two previously unknown vulnerabilities.
The first issue was related to how UpdraftPlus’ security tokens, known as nonces, could be leaked. This allowed an attacker to get the backup, including the nonce.
According to WordPress, nonces are not meant to be the main defense against hackers. It explicitly states that functions should be protected by properly validating who has the correct credentials using the function called current_user_can().
WordPress explains:
“Nonces should never be relied on for authentication, authorization, or access control. Protect your functions using current_user_can(), and always assume nonces can be compromised.”
The second vulnerability was due to improper validation of a registered user’s role, precisely what WordPress warns developers should take steps to secure in plugins.
This improper user role validation allowed someone with the data from the previous vulnerability to download any of the backups, which contain sensitive information.
Jetpack describes it:
“Unfortunately, the UpdraftPlus_Admin::maybe_download_backup_from_email method, which is hooked to admin_init didn’t directly validate users’ roles either.
While it did apply some checks indirectly, such as checking the $pagenow global variable, past research has shown that this variable can contain arbitrary user input.
Bad actors could use this endpoint to download file & database backups based on the information they leaked from the aforementioned heartbeat bug.”
The United States Government National Vulnerability database warns that UpdraftPlus didn’t “…properly validate a user has the required privileges to access a backup’s nonce identifier, which may allow any users with an account on the site (such as a subscriber) to download the most recent site & database backup.”
WordPress Forced Updates of UpdraftPlus
The vulnerability was so significant that WordPress took the extraordinary step of forcing automatic updates on all installations that hadn’t yet updated UpdraftPlus to the latest version.
However, publishers are advised not to assume their installation has been updated.
Affected Versions of UpdraftPlus
UpdraftPlus free versions before 1.22.3 and UpdraftPlus premium versions before 2.22.3 are vulnerable to the attack.
It is recommended that publishers ensure they are using the very latest version of UpdraftPlus.
Citations
Read the Jetpack Announcement
Severe Vulnerability Fixed In UpdraftPlus 1.22.3
Read the UpdraftPlus Announcement
UpdraftPlus security release – 1.22.3 / 2.22.3 – please upgrade
Read the U.S. Government Documentation on the Vulnerability
CVE-2022-0633 Detail
