Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
A high-severity vulnerability in a popular WordPress backup plugin allows unauthenticated attackers to exploit the flaw. Vulnerability is rated 8.8 on a scale of 0.0 to 10.
UpdraftPlus: WP Backup and Migration Plugin
The vulnerability affects the popular Updraft Plus WordPress plugin, installed on more than 3 million websites. Updraft Plus comes in a free and paid version that allows users to upload backups to the user’s cloud storage or email files. The plugin allows users to manually back up a website or schedule an automatic backup. It offers a huge amount of flexibility in what can be backed up and can make a huge difference to recovering from a catastrophic server issue, and is also useful for a full migration to another server.
Wordfence explains the vulnerability:
“UpdraftPlus: WP Backup & Migration Plugin for WordPress is vulnerable to PHP Object Injection in all versions up to and including 1.24.11 via deserialization of untrusted input in the ‘recursive_unserialized_replace’ function. This allows unauthenticated attackers to inject a PHP object.
No known POP chain is present in the vulnerable software. If the POP chain is present through a plug-in or theme installed on the target system, it could allow an attacker to delete arbitrary files, retrieve sensitive data, or execute code. An administrator must perform a search and replace action to trigger the exploit.”
The Updraft Plus changelog appears to minimize the vulnerability, not even calling the update a security patch, instead labeling it as a “tweak.”
From official WordPress Updraft Plus plugin changelog:
“TUNE: Complete review and removal of calls to the PHP function unserialize() that enable class instantiation started in 1.24.7. (The final removal involved a theoretical security flaw if your development site allowed an attacker to post content to it that you migrated to another site that contained custom code that could perform destructive actions that the attacker knew about before you cloned the result of this removal is that some search substitutions, which are unlikely to be encountered in practice, will be skipped.
Updraft Plus Vulnerability patched
Users are encouraged to consider updating their Updraft Plus installations to the latest version, 1.24.12. All versions before the latest are vulnerable.
Read the Wordfence tip:
UpdraftPlus: WP Backup & Migration Plugin <= 1.24.11 - Unauthenticated PHP object injection
Featured Image Shutterstock/Tithi Luadthong
