Millions of WordPress site backups at risk due to a vulnerability in UpdraftPlus plugin

Threat Level – Amber | Vulnerability Report
Download PDF

For a detailed advisory, download the pdf file here

UpdraftPlus is a backup tool for WordPress files, databases, plug-ins, and themes that allows you to create, restore, and migrate backups. UpdraftPlus is utilized by more than three million WordPress websites, according to its website, including those from P&G, NBA, Microsoft and NASA. An access control bypass vulnerability has been identified that allows even individuals with subscriber-level capabilities to access any UpdraftPlus backup.

An attacker can leverage this flaw to obtain access to privileged information stored in the database of the vulnerable site (e.g., usernames and hashed passwords).

This vulnerability has been fixed in UpdraftPlus Free version 1.22.3 & Premium version 2.22.3.

Potential MITRE ATT&CK TTPs are:

TA0001: Initial Access

T1190: Exploit Public-Facing Application

TA0004: Privilege Escalation

T1068: Exploitation for Privilege Escalation

Vulnerability Detail

Patch Link

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox