Security researcher at Automattic discovered a vulnerability affecting popular WordPress backup plugin, UpdraftPlus. The vulnerability allowed hackers to download user names and hashed passwords. Automattic calls it a “severe vulnerability.”
UpdraftPlus WordPress Backup Plugin
UpdraftPlus is a popular WordPress backup plugin that’s actively installed in over 3 million websites.
The plugin allows WordPress administrators to backup their WordPress installations, including the entire database which contains user credentials, passwords and other sensitive information.
Publishers rely on UpdraftPlus to adhere to the highest standards of security in their plugin because of how sensitive the data is that’s backed up with the plugin.
The vulnerability was discovered by an audit conducted by a security researcher at Automattic’s Jetpack.
They discovered two previously unknown vulnerabilities.
The first was related to how UpdraftPlus security tokens called, nonces, could be leaked. This allowed an attacker to obtain the backup, including the nonce.
According to WordPress, nonces are not supposed to be the main line of defense against hackers. It explicitly states that functions should be protected by properly validating who has the proper credentials (by using the function called current_user_can()).
“Nonces should never be relied on for authentication, authorization, or access control. Protect your functions using current_user_can(), and always assume nonces can be compromised.”
The second vulnerability was tied to an improper validation of a registered users role, precisely what WordPress warns that developers should take steps to lock down plugins.
The improper user role validation allowed someone with the data from the previous vulnerability to download any of the backups, which of course contains sensitive information.
Jetpack describes it:
“Unfortunately, the UpdraftPlus_Admin::maybe_download_backup_from_email method, which is hooked to admin_init didn’t directly validate users’ roles either.
While it did apply some checks indirectly, such as checking the $pagenow global variable, past research has shown that this variable can contain arbitrary user input.
Bad actors could use this endpoint to download file & database backups based on the information they leaked from the aforementioned heartbeat bug.”
The United States Government National Vulnerability database warns that UpdraftPlus didn’t “…properly validate a user has the required privileges to access a backup’s nonce identifier, which may allow any users with an account on the site (such as subscriber) to download the most recent site & database backup.”
WordPress Forced Updates of UpdraftPlus
The vulnerability was so severe, WordPress took the extraordinary step of forcing automatic updates on all installations that hadn’t yet updated UpdraftPlus to the latest version.
But publishers are recommended to take it for granted that their installation was updated.
Affected Versions of UpdraftPlus
UpdraftPlus free versions before 1.22.3 and UpdraftPlus premium versions before 2.22.3 are vulnerable to the attack.
It’s recommended that publishers check to see that they are using the very latest version of UpdraftPlus.