A popular backup WordPress plugin with more than three million users has recently patched up a vulnerability that allowed threat actors access to passwords, identity information, and other sensitive data.
As reported by WordFence security analysts, researcher Marc Montpas discovered a vulnerability in UpdraftPlus, a backup, restore and clone plugin for WordPress.
UpdraftPlus has a feature that allows users to send a download link to the backup, via email, to an address designated by the site’s owner. However, this feature has been implemented poorly, the researcher has found, and allows pretty much anyone, even subscriber-level users, to create a valid link that would allow them to download backup files.
To exploit the vulnerability, however, the attacker would need to have an active account on the target system, the researchers further explain, concluding that such an attack would need to be targeted. The potential consequences are described as “severe”, which is why the researchers are using all UpdraftPlus users to update their plugins immediately.
The patched up version is 1.22.3.
WordPress plugins often come with critical flaws that could allow attackers full website takeover. Just a few weeks ago, a popular WordPress plugin used by more than a million websites was found to be carrying a critical remote code execution (RCE) flaw
Another vulnerability was also recently discovered in the “WordPress Email Template Designer – WP HTML Mail”, plugin, which allowed for an unauthenticated attacker to inject malicious JavaScript that would run whenever a site admin accesses the template editor, while in late October 2021, researchers discovered a flaw in the Hashthemes Demo Importer plugins that could be exploited to completely wipe and reset any vulnerable WordPress website.
WordPress Email Template Designer – WP HTML Mail is used by 20,000 websites, while Hashthemes Demo Importer plugins count more than 8,000 users.
English
Arabic
Belarusian
Bengali
Bosnian
Bulgarian
Chinese (Simplified)
Croatian
Czech
Danish
Dutch
Estonian
Filipino
Finnish
French
Georgian
German
Greek
Gujarati
Hausa
Hebrew
Hindi
Hmong
Hungarian
Igbo
Indonesian
Italian
Japanese
Javanese
Kazakh
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latvian
Lithuanian
Macedonian
Malagasy
Norwegian
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Serbian
Slovak
Slovenian
Spanish
Swedish
Thai
Turkish
Ukrainian
Vietnamese
Yoruba