{"id":15469,"date":"2022-02-21T09:23:55","date_gmt":"2022-02-21T09:23:55","guid":{"rendered":"https:\/\/mailinvest.blog\/index.php\/2022\/02\/21\/wordpress-backup-plugin-vulnerability-impacted-3-million-installations\/"},"modified":"2022-02-21T09:23:55","modified_gmt":"2022-02-21T09:23:55","slug":"wordpress-backup-plugin-vulnerability-impacted-3-million-installations","status":"publish","type":"post","link":"https:\/\/mailinvest.blog\/index.php\/2022\/02\/21\/wordpress-backup-plugin-vulnerability-impacted-3-million-installations\/","title":{"rendered":"WordPress Backup Plugin Vulnerability Impacted 3+ Million Installations"},"content":{"rendered":"

<\/a>\n
<\/p>\n

\n

Security researcher at Automattic discovered a vulnerability affecting popular WordPress backup plugin, UpdraftPlus. The vulnerability allowed hackers to download user names and hashed passwords. Automattic calls it a \u201csevere vulnerability.\u201d\n<\/p>\n

UpdraftPlus WordPress Backup Plugin<\/h2>\n

UpdraftPlus is a popular WordPress backup plugin that\u2019s actively installed in over 3 million websites.<\/p>\n

The plugin allows WordPress administrators to backup their WordPress installations, including the entire database which contains user credentials,\u00a0 passwords and other sensitive information.<\/p>\n

Publishers rely on UpdraftPlus to adhere to the highest standards of security in their plugin because of how sensitive the data is that\u2019s backed up with the plugin.<\/p>\n

UpdraftPlus Vulnerability<\/h2>\n

The vulnerability was discovered by an audit conducted by a security researcher at Automattic\u2019s Jetpack.<\/p>\n

They discovered two previously unknown vulnerabilities.<\/p>\n

The first was related to how UpdraftPlus security tokens called, nonces, could be leaked. This allowed an attacker to obtain the backup, including the nonce.<\/p>\n

According to WordPress, nonces are not supposed to be the main line of defense against hackers. It explicitly states that functions should be protected by properly validating who has the proper credentials (by using the function called current_user_can()).<\/p>\n

WordPress explains<\/a>:<\/p>\n

\n

\u201cNonces should never be relied on for authentication, authorization, or access control. Protect your functions using current_user_can(), and always assume nonces can be compromised.\u201d<\/p>\n<\/blockquote>\n

The second vulnerability was tied to an improper validation of a registered users role, precisely what WordPress warns that developers should take steps to lock down plugins.<\/p>\n

The improper user role validation allowed someone with the data from the previous vulnerability to download any of the backups, which of course contains sensitive information.<\/p>\n

Jetpack describes it:<\/strong><\/p>\n

\n

\u201cUnfortunately, the UpdraftPlus_Admin::maybe_download_backup_from_email method, which is hooked to admin_init didn\u2019t directly validate users\u2019 roles either.<\/p>\n

While it did apply some checks indirectly, such as checking the $pagenow global variable, past research has shown that this variable can contain arbitrary user input.<\/p>\n

Bad actors could use this endpoint to download file & database backups based on the information they leaked from the aforementioned heartbeat bug.\u201d<\/p>\n

The United States Government National Vulnerability database warns that UpdraftPlus didn\u2019t \u201c\u2026properly validate a user has the required privileges to access a backup\u2019s nonce identifier, which may allow any users with an account on the site (such as subscriber) to download the most recent site & database backup.\u201d<\/p>\n<\/blockquote>\n

WordPress Forced Updates of UpdraftPlus<\/h2>\n

The vulnerability was so severe, WordPress took the extraordinary step of forcing automatic updates on all installations that hadn\u2019t yet updated UpdraftPlus to the latest version.<\/p>\n

But publishers are recommended to take it for granted that their installation was updated.<\/p>\n

Affected Versions of UpdraftPlus<\/h2>\n

UpdraftPlus free versions before 1.22.3 and UpdraftPlus premium versions before 2.22.3 are vulnerable to the attack.<\/p>\n

It\u2019s recommended that publishers check to see that they are using the very latest version of UpdraftPlus.<\/p>\n

Citations<\/h2>\n

Read the Jetpack Announcement<\/h3>\n

Severe Vulnerability Fixed In UpdraftPlus 1.22.3<\/a><\/p>\n

Read the UpdraftPlus Announcement<\/h3>\n

UpdraftPlus security release \u2013 1.22.3 \/ 2.22.3 \u2013 please upgrade<\/a><\/p>\n

Read the U.S. Government Documentation on the Vulnerability<\/h3>\n

CVE-2022-0633 Detail<\/a><\/p>\n<\/div>\n