According to a reputable source, millions of WordPress sites got a forced patch in the last few days. The cause is a flaw in UpdraftPlus, a popular plugin that allows users to generate and restore backups of their websites. The vulnerability would allow anybody with an account to download a website’s full database, therefore UpdraftPlus creators sought the necessary fix.
During a security audit of the plugin, Jetpack security researcher Marc Montpas uncovered the problem. “This bug is pretty easy to exploit, with some very bad outcomes if it does get exploited,” he told the source. “It made it possible for low-privilege users to download a site’s backups, which include raw database backups.”
He reported the flaw to UpdraftPlus engineers on Tuesday last week; they patched it the next day and began force-installing the patch shortly after. As of Thursday, 1.7 million sites have gotten it, out of a total user base of 3 million or more.
The key problem was that UpdraftPlus failed to properly implement WordPress‘s “hearbeat” feature by checking to see if users have administrative privileges. Another problem was a variable used to validate administrators that may be changed by untrusted users. In a blog post, Jetpack went into depth on how a hack would work.
Earlier this year, WordPress was breached, although it was done indirectly through a GoDaddy attack that revealed 1.2 million accounts. If you’re using WordPress and the UpdraftPlus plugin, make sure the plugin has been updated to 1.22.4 or later on the free version or 2.22.4 or above on the premium app.
- Apple has Unveiled an Open-Source LLM Model - July 31, 2024
- Anthropic Has Released Claude 3.5 Sonnet to Rival GPT-4o and More - July 1, 2024
- China’s Text-to-Video AI Tool Emerges as a Competitor to Sora - June 24, 2024
