Important security bug in UpdraftPlus plugin: Update the plugin now
Ars Technica reports that millions of WordPress sites have received a mandatory patch in the past few days. This is because of a vulnerability in UpdraftPlus, a popular plugin that allows users to create and restore backups of websites. The developers of UpdraftPlus requested a mandatory patch, as this vulnerability would allow anyone with an account to download the entire database of a website.
The bug was discovered by Jetpack security researcher Mark Montpas during a security audit of the plugin. He told Ars Technica:
This bug is very easy to use and if misused, it will have very bad results. The new bug allowed low-scoring users to download site backups, which include raw database backups.
Montpas told UpdraftPlus developers about the bug on Tuesday last week, and they fixed it the next day, and soon after began a forced patch installation. 1.7 million sites, more than 3 million users, had received it as of Thursday. The main drawback was that UpdraftPlus did not run WordPress properly by checking the “Hearbeat” function to see if users had administrative privileges. Another problem was the variable used to validate admins that could be modified by invalid users.