On February 17, 2022, UpdraftPlus, a WordPress plugin with over 3 million installations, updated with a security fix for a vulnerability discovered by security researcher Marc Montpas. This vulnerability allows any logged-in user, including subscriber-level users, to download backups made with the plugin. Backups are a treasure trove of sensitive information, and frequently include configuration files which can be used to access the site database as well as the contents of the database itself.
As with all newly reported vulnerabilities, the Wordfence Threat Intelligence team examined the patch and was able to create a proof of concept. In addition, we released a firewall rule to block any attackers trying to exploit this vulnerability. Wordfence Premium, Care, and Response customers received this rule today, February 17, 2022, while Wordfence Free users will receive this rule after 30 days on March 19, 2022.
This vulnerability was patched in version 1.22.3 of UpdraftPlus, and as such we strongly encourage you to verify that your site is running the most up to date version of the plugin and updating immediately if it is not.
Description: Authenticated Backup Download
Affected Plugin: UpdraftPlus
Plugin Slug: updraftplus
Plugin Developer: UpdraftPlus.Com
Affected Versions: 1.16.7 – 1.22.2
CVE ID: CVE-2022-0633
CVSS Score: 8.5(High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Researcher/s: Marc Montpass
Fully Patched Version: 1.22.3
UpdraftPlus is a popular back-up plugin for WordPress sites and as such it is expected that the plugin would allow you to download your backups. One of the features that the plugin implemented was the ability to send back-up download links to an email of the site owner’s choice. Unfortunately, this functionality was insecurely implemented making it possible for low-level authenticated users like subscribers to craft a valid link that would allow them to download backup files.