A security researcher at Automattic has discovered a vulnerability affecting the popular WordPress backup plugin, UpdraftPlus. The vulnerability allowed hackers to download hashed usernames and passwords. Automattic calls it a “critical vulnerability”.
UpdraftPlus WordPress Backup Plugin
UpdraftPlus is a popular WordPress backup plugin that is actively installed on over 3 million websites.
The plugin allows WordPress administrators to backup their WordPress installations, including the entire database containing user credentials, passwords, and other sensitive information.
Publishers rely on UpdraftPlus to adhere to the highest security standards in their plugin due to how sensitive the data that is backed up with the plugin is.
The vulnerability was discovered through an audit conducted by a security researcher at Automattic’s Jetpack.
They discovered two previously unknown vulnerabilities.
The first has to do with how UpdraftPlus security tokens called nonces were leaked. This allowed the attacker to get hold of the backup, including the nonce.
According to WordPress, nonces are not supposed to be your main line of defense against hackers. It explicitly states that functions should be protected by properly validating who has the appropriate credentials (using the function called current_user_can()).
“Nonces should never be relied upon for authentication, authorization, or access control. Protect your functionality with current_user_can(), and always assume that nonces can be hacked.”
The second vulnerability was related to improper role validation of registered users, which is exactly what WordPress warns developers should take steps to close plugins.
Improper user role verification allowed anyone with data from the previous vulnerability to download any of the backups, which of course contained sensitive information.
Jetpack describes it:
Unfortunately, the UpdraftPlus_Admin::might_download_backup_from_email method, linked to admin_init, didn’t check directly for users’ roles either.
Although it implemented some validation indirectly, such as checking the $pagenow global variable, previous research showed that this variable can contain arbitrary user input.
Bad actors can use this endpoint to download file and database backups based on the information leaked from the aforementioned heartbeat bug.”
The US government’s National Vulnerability Database warns that UpdraftPlus did not “… properly verify that a user has the requisite privileges to access the backup nonce identifier, which would allow any user with an account on the site (such as a subscriber) to download more recent Backup of the website and database.
UpdraftPlus forced WordPress updates
The vulnerability was so severe, WordPress took the unusual step of forcing automatic updates on all installations that had not yet updated UpdraftPlus to the latest version.
But publishers are advised to take their installation update for granted.
Affected versions of UpdraftPlus
Free versions of UpdraftPlus prior to 1.22.3 and premium UpdraftPlus versions prior to 2.22.3 are vulnerable to attack.
It is recommended that publishers check to see that they are using the latest version of UpdraftPlus.