WordPress plugin: UpdraftPlus could leak website backups

The WordPress plugin UpdraftPlus is vulnerable, potentially putting millions of websites at risk. This allows you to make backups of websites created with the content management system (CMS) and, if necessary, restore complete pages from them.

WordPress states that the plugin has 3 million active installs. On the vulnerability (CVE-2022-0633 “high“) security researchers came across Jetpack. In an article they write that the vulnerability affects versions between 1.16.7 (from March 2019) and 1.22.3. The UpdraftPlus developers state that they have fixed the vulnerability in the releases 1.22.3 and 2.22.3 have closed Due to a bug, the Versions 1.22.4 and 2.22.4 accessible.

Due to the vulnerability, theoretically every user registered on a site could access backups made with the plug-in and read data. This is said to be due to a missing check as to whether a user has admin rights. Actually, only admins are allowed to access backup copies. This should work by sending prepared requests. Attackers could then download and search through backups.

The developers state that passwords should be stored as a hash in backup copies, so that attackers cannot do anything with them. It is not yet known which hash method is used. The developers state that they have not yet observed any attacks. Nevertheless, they advise admins to update UpdraftPlus quickly.