Blogging Tips

WordPress forces to update a plugin due to important vulnerability detected

Automattic, the company behind the popular content publishing system (CMS) on the Internet, has urged the forced update of the UpdraftPlus plugin on the more than three million sites that have it, regardless of the configurations they have established the respective administrators.

This is an exceptional performance that affects even large companies. UpdraftPlus is a plugin specialized in making backup copies and restoring contentwith basic functions and advanced options.

It was on February 14th when security researcher Marc Montpas of Automattic discovered a security problem, receiving tracking number CVE-2022-0633 and obtaining a CVSS v3.1 score of 8.5.

Two days later, the new version that corrects the vulnerability found is already available, and which is the one that Automattic is forcing to update, although there is currently a new version available, 1.22.4, which is the one that can be installed manually to those websites that have not yet been forced, although those that have opted for the Premium option have version 2.22.3 available.

Security issue fixed It allowed any basic user registered on a website to receive a backup copy of the website via email, including login credentials and more, without the need for administrator privileges.

And it is that the error has been detected in that the plugin incorrectly handled the access parameters to the administrator privileges to be able to access the backup copies, being able to create a valid link that would allow you to download the files, starting from the sending of a request with a “data” parameter that would grant you the privilege of being able to have the backup copy latest from the website.

According to the plugin developers:

Right now, (the appearance of a PoC) depends on a hacker reverse-engineering the changes in the latest version of UpdraftPlus to resolve it.

According to WordPress statistics, there are already quite a few updates carried out since the 16th, when new versions of the UpdraftPlus plugin with the vulnerability corrected became available.

Via: Bleeping Computer

Related Articles

Leave a Reply

Your email address will not be published.