WordPress Backup Plugin Vulnerability Affects 3+ Million Sites via @sejournal, @martinibuster

A precocious severity vulnerability successful a fashionable WordPress backup plugin allows unauthenticated attackers to exploit the flaw. The vulnerability is rated 8.8 connected a standard of 0.0 to 10.

UpdraftPlus: WP Backup & Migration Plugin

The vulnerability affects the fashionable Updraft Plus WordPress plugin, installed successful implicit 3 cardinal websites. Updraft Plus comes successful a escaped and paid mentation that allows users to upload backups to a user’s unreality retention oregon to email the files. The plugin allows users to manually backup the website oregon docket it for automatic backups. It offers a tremendous magnitude of flexibility of what tin beryllium backed up and tin marque a immense quality for recovering from a catastrophic server contented and is besides utile for migrating to a antithetic server altogether.

Wordfence explains the vulnerability:

“The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is susceptible to PHP Object Injection successful each versions up to, and including, 1.24.11 via deserialization of untrusted input successful the ‘recursive_unserialized_replace’ function. This makes it imaginable for unauthenticated attackers to inject a PHP Object.

No known POP concatenation is contiguous successful the susceptible software. If a POP concatenation is contiguous via an further plugin oregon taxable installed connected the people system, it could let the attacker to delete arbitrary files, retrieve delicate data, oregon execute code. An head indispensable execute a hunt and regenerate enactment to trigger the exploit.”

The Updraft Plus changelog seems to minimize the vulnerability, it doesn’t adjacent telephone the update a information patch, it’s labeled arsenic a “tweak.”

From the authoritative Updraft Plus WordPress plugin changelog:

“TWEAK: Complete the reappraisal and removal of calls to the unserialize() PHP relation allowing people instantiation begun successful 1.24.7. (The last removal progressive a theoretical information defect, if your improvement tract allowed an attacker to station contented to it which you migrated to different site, and which contained customised codification that could execute destructive actions which the attacker knew about, anterior to you past cloning the site. The effect of this removal is that immoderate search-replaces, highly improbable to beryllium encountered successful practice, volition beryllium skipped).”

Updraft Plus Vulnerability Patched

Users are recommended to see updating their installations of Updraft Plus to the latest version, 1.24.12. All versions anterior to the latest mentation are vulnerable.

Read the Wordfence advisory:

UpdraftPlus: WP Backup & Migration Plugin <= 1.24.11 – Unauthenticated PHP Object Injection

Featured Image by Shutterstock/Tithi Luadthong

SEJ STAFF Roger Montti Owner - Martinibuster.com astatine Martinibuster.com

I person 25 years hands-on acquisition successful SEO, evolving on with the hunt engines by keeping up with the latest ...