After security researcher Marc Montpas uncovered a vulnerability in UpdraftPlus, a WordPress plugin with over 3 million installations, updates were published. The Wordfence Threat Intelligence team said in a blog post that the flaw allows any logged-in user, even subscriber-level users, to download backups created by the plugin. Backups include a wealth of sensitive information, including configuration files that may be used to access the site database as well as the database’s contents.
The researchers looked at the patch and were able to make a proof of concept. Wordfence wrote in an earlier version of the blog that the attacker would have to start their attack while a backup was in progress and guess the proper timestamp to download a backup. However, it was later updated to reflect that Wordfence discovered that a complete log comprising a backup nonce and timestamp can be obtained at any time, “making this vulnerability significantly more exploitable.”
On Thursday, UpdraftPlus released version 1.22.3, which addressed the issue, and advised customers to check their websites to ensure they ran the most recent version.
“UpdraftPlus is a popular back-up plugin for WordPress sites and as such it is expected that the plugin would allow you to download your backups. One of the features that the plugin implemented was the ability to send back-up download links to an email of the site owner’s choice. Unfortunately, this functionality was insecurely implemented making it possible for low-level authenticated users like subscribers to craft a valid link that would allow them to download backup files,” as explained by Wordfence.
The WordPress heartbeat function is the first target of the attack. A specially crafted heartbeat request with a data[updraftplus] parameter must be sent by the attacker. An attacker can access a backup log, including a backup nonce and timestamp by providing the necessary subparameters, which they can subsequently use to download a backup. The problem, according to the firm, is caused by the UpdraftPlus_Options::admin_page() === $pagenow check. According to Wordfence, attackers may mislead the $pagenow check into believing the request is to options-general.php, while WordPress still perceives it as a request to a permitted endpoint of admin-post.php.
Wordfence further said that the hacker would require an active account on the target machine to exploit the vulnerability. According to Netenrich’s John Bambenek, WordPress is one of the largest backends of websites on the Internet. The security issues derive from its broad ecosystem of plugins, ranging from skilled developers to hobbyists. A Vulcan Cyber engineer, Mike Parkin, proposed setting up a firewall rule to protect against the vulnerability until the patch is implemented.