JAKARTA - Over the past few days, millions of WordPress sites have received forced patch updates. This is because there is a vulnerability in UpdraftPlus, a popular plugin that allows users to create and restore website backups.
UpdraftPlus developers requested a mandatory patch, as the vulnerability would allow anyone with an account to download the entire website's database.
Databases often include sensitive information about customers or site security settings, leaving millions of sites vulnerable to serious data breaches that spill passwords, usernames, IP addresses, and more.
This bug was discovered by Jetpack security researcher Marc Montpas during a plugin security audit. "This bug is quite easy to exploit, with some very bad results if exploited," said Montpas.
"That allows low-privileged users to download site backups, which include raw database backups."
UpdraftPlus simplifies the process of backing up and restoring website databases and is the most widely used scheduled backup plugin on the Internet for WordPress content management systems.
It simplifies backing up data to Dropbox, Google Drive, Amazon S3, and other cloud services. Its developers say it also allows users to schedule regular backups and is faster and uses less server resources than competing WordPress plugins.
Launching Engadget, Monday, February 21, after finding the bug, Montpas immediately notified the UpdraftPlus developers about the bug on Tuesday last week. They fixed it a day later and started installing the patch forcibly soon after.
A total of 1.7 million sites have received patches from over 3 million users. Montpas explained, the main weakness in UpdraftPlus is not implementing WordPress's "heartbeat" function properly.
The plugin also doesn't check properly to see if the user has administrative rights. Another issue is the variables used to validate admins which can be modified by untrusted users.
WordPress was previously compromised earlier this year, but it was done indirectly via a GoDaddy hack that exposed 1.2 million accounts. If you are running WordPress with the UpdraftPlus plugin, you should ensure that the plugin is automatically updated to 1.22.4 or later on the free version, and 2.22.4 and higher on the premium app.
The English, Chinese, Japanese, Arabic, and French versions are automatically generated by the AI. So there may still be inaccuracies in translating, please always see Indonesian as our main language. (system supported by DigitalSiber.id)
