Millions of WordPress sites received a forced update in the last day to fix a critical vulnerability in a plugin called UpdraftPlus.
The mandatory patch came at the request of UpdraftPlus developers due to the severity of the vulnerability, which allows untrusted subscribers, customers and others to download the site’s personal database as long as they have an account on the vulnerable site. Databases often include sensitive customer information or site security settings, leaving millions of sites vulnerable to serious data breaches that spread passwords, usernames, IP addresses, and more.
Poor results, easy to exploit
UpdraftPlus simplifies the process of backing up and restoring website databases and is the most widely used scheduled backup plugin on the web for the WordPress content management system. It streamlines data backup to Dropbox, Google Drive, Amazon S3 and other cloud services. Its developers say it also allows users to schedule regular backups and is faster and uses fewer server resources than competing WordPress plugins.
“This bug is fairly easy to exploit, with some very bad results if exploited,” said Mark Monpass, a security researcher who discovered the vulnerability and privately reported it to the plugin’s developers. “This enabled low-privilege users to download site backups that included raw database backups. Low privilege accounts can mean many things. Regular subscribers, customers (of e-commerce sites for example) etc.”
Monpas, a researcher at website security firm Jet, said he discovered the vulnerability during a security audit of the plugin and provided details to UpdraftPlus developers on Tuesday. A day later, the developers released a patch and agreed to force install it on WordPress sites that have the plugin installed.
Statistics provided by WordPress.org show that 1.7 million sites received the update on Thursday, and more than 287,000 others had it installed as of press time. WordPress says the plugin has over 3 million users.
In disclosing the vulnerability on Thursday, UpdraftPlus wrote:
This flaw allows any logged-in user on a WordPress installation with UpdraftPlus enabled to exercise the privilege to download an existing backup, a privilege that should have been restricted to admin users only. This was possible due to a missing permission check for code related to checking the current backup state. This allowed an internal identifier that was otherwise unknown to be obtained and could then be used to pass a download authorization check.
This means that if your WordPress site allows untrusted users to log into WordPress, and if you have any existing backup, then you are potentially vulnerable to a technically savvy user figuring out how to download the existing backup. Affected sites are at risk of data loss/data theft through an attacker accessing an archive copy of your site if your site contains anything that is not public. I say “technically qualified” because at this point no public proof of how to use this exploit has been made. At this point, he relies on a hacker reverse-engineering the changes in the latest version of UpdraftPlus to make it. However, you should certainly not count on this taking a long time, but you should update immediately. If you are the only user on your WordPress site, or if all your users are trusted, then you are not vulnerable, but we still recommend updating just in case.
Hackers listen to heartbeats
In its own disclosure, Monpass said the vulnerability stems from several flaws. The first was in UpdraftPlus’ implementation of the WordPress heartbeat feature. UpdraftPlus did not properly validate whether users submitting requests have administrative privileges. This was a major problem as the function retrieves a list of all active backup jobs and the date of the last backup of the site. Included in this data is the custom nonce that the plugin used to secure backups.
“Thus, an attacker could craft a malicious request targeting this heartbeat callback to access information about the site’s most recent backup to date, which would, among other things, contain the backup nonce” , writes Monpass.