in ,

WordPress owners should urgently install this patch to fix a severe bug

If you have a WordPress website, you may have received a forced patch to address a severe vulnerability. The patch is expected to fix an issue with the popular plugin, UpdraftPlus, which users use to create and apply website backups.

The plugin developer has made the patch mandatory as the vulnerability could let anyone with an account download your website’s entire database.

Jetpack security researcher, Marc Montpas, discovered the vulnerability during a security audit of the plugin. Speaking to Ars Technica, Montpas said, “This bug is pretty easy to exploit, with some very bad outcomes if it does get exploited. It made it possible for low-privilege users to download a site’s backups, which include raw database backups. Low-privilege accounts could mean a lot of things. Regular subscribers, customers (on e-commerce sites, for example), etc.”

He also wrote, “An attacker could thus craft a malicious request targeting this heartbeat callback to get access to information about the site’s latest backup to date, which will, among other things, contain a backup’s nonce.”

UpdraftPlus took a day to fix the bug after Montpas reported it last week, and the mandatory patch has gone out to more than half of the three million-plus users of the plugin.

The issue was that UpdraftPlus failed to properly implement WordPress’ heartbeat procedure by confirming if a user has admin privileges. Here is the developer’s explanation of the bug;

“This defect allows any logged-in user on a WordPress installation with UpdraftPlus active to exercise the privilege of downloading an existing backup, a privilege which should have been restricted to administrative users only. This was possible because of a missing permissions check on code related to checking current backup status. This allowed the obtaining of an internal identifier which was otherwise unknown and could then be used to pass a check upon permission to download.

“This means that if your WordPress site allows untrusted users to have a WordPress login, and if you have any existing backup, then you are potentially vulnerable to a technically skilled user working out how to download the existing backup. Affected sites are at risk of data loss / data theft via the attacker accessing a copy of your site’s backup, if your site contains anything non-public. I say “technically skilled” because at that point, no public proof of how to leverage this exploit has been made. At this point in time, it relies upon a hacker reverse-engineering the changes in the latest UpdraftPlus release to work it out. However, you should certainly not rely upon this taking long but should update immediately. If you are the only user on your WordPress site, or if all your users are trusted, then you are not vulnerable, but we still recommend updating in any case.”

Meanwhile, WordPress suffered a breach this year, although it came through a hack on GoDaddy. The breach compromised about 1.2 million accounts.

If you use the UpdraftPlus plugin on your WordPress website, ensure that the plugin has been automatically updated to version 1.22.4 or later for the free version. If you use the premium version, you should be on version 2.22.4.

Written by HackerVibes

OpenSea users lost $1.7 million to NFT theft

Apple to release an M2 chip this year, according to Gurman