A forced update was sent to millions of WordPress sites using a plugin called UpdraftPlus.
Why the Need for Mandatory Patch?
UpdraftPlus developers requested the mandatory patch because of the severity of the flaw. If you fail to update it, customers and others with an account on your vulnerable site can download the private database. Unfortunately, the database includes sensitive data about customers or security settings. If you don’t update it, your site will be vulnerable to serious data breaches.
What is UpdraftPlus?
It’s one of the most popular backup plugins for WordPress. It simplifies the entire process as it streamlines data backup to Google Drive and other cloud services. The plugin allows users to schedule their regular backups.
However, it’s not immune to bugs.
According to a post by Marc Montpas:
“During an internal audit of the UpdraftPlus plugin, we uncovered an arbitrary backup download vulnerability that could allow low-privileged users like subscribers to download a site’s latest backups. If exploited, the vulnerability could grant attackers access to privileged information from the affected site’s database (e.g., usernames and hashed passwords).”
The plugin has over 3 million users. WordPress shows that there are over 1.7 million sites that received the update and over 280,000 installed it.
Montspas said that the vulnerability is the result of several flaws. One of them was how the plugin implemented the heartbeat function. WordPress Heartbeat API “will send continuous pulses and triggers events (or callbacks) upon receiving data. This function helps you to sync all the data between the server and the WordPress dashboard.”
But UpdraftPlus didn’t validate the users who sent requests with administrative privileges. It caused a serious issue because it fetches all active backup jobs and the date of the latest backup.
An attacker could create a malicious request that targets this callback to access details about the latest backup to date, which will contain a backup’s nonce.
Montspas recommends checking the version of the plugin. If it’s within the affected range, you need to update it ASAP.
The flaw was found on February 14, 2022. The developers of the affected plugins were immediately notified. The response was immediate. On February 16, 2022, WordPress started to force-upgrade installations to version 1.22.3.
This is one of the rare severe cases where WP forces auto-updates on all sites no matter what the admin settings are.
Is WordPress Secure?
WordPress is one of the most popular platforms for web developers. It’s easy to customize through the plugins available. But is it secure?
It’s secure if you update it regularly. However, each year, thousands of WordPress sites are getting hacked. But those sites that have been hacked didn’t keep things updated.
They also utilize insecure passwords.
If you’re using out-of-date plug-ins, you need to update them or delete them if you’re no longer using them. However, experts don’t recommend plugins because they provide a new gateway for a malicious actor. Remember that every plugin, like UpdraftPlus, has a vulnerability.