Wordpress

WordPress Plugin with over 3 million Installations Let Subscribers to Download Sensitive Backups

Updraftplus is a plugin used by most WordPress sites for backing up the data. This plugin is used by almost three million people worldwide. Previously, it was reported that this plugin was vulnerable to authenticated backup download vulnerability, where an attacker can guess the timestamp of the backup and exploit it during the backup time.

Updraftplus released patches to fix the vulnerability by the time it surfaced. Most companies use the backup option as a safety measure. Backups can be considered as an ocean of information that might even contain security credentials that can expose sensitive databases.

Companies usually prevent it from going to the public. However, Recently it was found that obtaining information about the time of backup and timestamp can be obtained relatively easier making this vulnerability more exploitable.

Marc Montpas, a security researcher recently reported that any logged-in user including subscriber-level users can download the backup data made with this plugin. If an attacker has the backup nonce, he can exploit this vulnerability and can download any backup data with an email being sent to his link through the “maybe_download_backup_from_email” option.

When the [UpdraftPlus_Options::admin_page() === $pagenow– check is performed, the option is being fooled by the attacker. The $pagenow feature is redirected to the options-general.php page which cannot be accessed by external entities. Hence attackers create a specially crafted request for exploitation.

The researcher also found that the wp-admin/admin-post.php/%0A/wp-admin/options-general.php?page=updraftplus the $pagenow variable is fooled and the page is redirected to the admin-post.php website. Finally, since all the backups are indexed by timestamp, the attacker either brute force the timestamp or exploits the unauthenticated download vulnerability to extract data about the database or backup log.

Vulnerability Details

Description: Authenticated Backup Download

Affected Plugin: UpdraftPlus

Plugin Slug: updraftplus

Plugin Developer: UpdraftPlus[.]Com

Affected Versions: 1.16.7 – 1.22.2

CVE ID: CVE-2022-0633

CVSS Score: 8.5(High)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Researcher/s: Marc Montpass

Fully Patched Version: ​1.22.3

Users of updraftplus are advised to update to the latest version since this vulnerability can lead to exposure of a lot of sensitive information if it is exploited by an attacker. Successful exploitation of this vulnerability can even result in a site takeover.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates.

Guru

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.

Recent Posts

Defend Ransomware Attacks With Top Effective Proactive Measures in 2024

We're currently living in an age where digital threats loom large. Among these, ransomware has…

57 mins ago

GoTitan Botnet Actively Exploiting Apache ActiveMQ Vulnerability

Attackers are exploiting the recently discovered critical security vulnerability tracked as (CVE-2023-46604) affecting Apache ActiveMQ…

18 hours ago

Cybercriminals are Showing Hesitation to Utilize AI When Executing Cyber Attacks

Media reports highlight the sale of LLMs like WormGPT and FraudGPT on underground forums. Fears…

18 hours ago

Vigil: Open-source Security Scanner for LLM Models Like ChatGPT

An open-source security scanner, developed by Git Hub user Adam Swanda, was released to explore…

19 hours ago

Slovenia’s Biggest Power Provider has Suffered a Cyberattack

One of Slovenia's major power providers, HSE, has recently fallen victim to a significant cyberattack.…

19 hours ago

Genesis Market Technique: Hackers Exploited Node.js and EV Certificates

In the labyrinthine landscape of cyber threats, the Trend Micro Managed XDR team has uncovered…

21 hours ago