On Feb 14, 2022, A security researcher, Marc-Alexandre from Jetpack, discovered a high severity vulnerability in the UpdraftPlus WordPress plugin. The flaw tracked as CVE-2022-0633 with a base score of 8.5 lets the attacker download the WordPress site backup files with sensitive data. This could lead the attacker to take control of the website. WordPress site owners who use this plugin will need to pay attention to this post as we are going to explain how to fix CVE-2022-0633- An Authenticated Backup Download Vulnerability in UpdraftPlus WordPress Plugin.
About The UpdraftPlus Plugin:
UpdraftPlus plugin is the world’s highest-ranking and most popular backup service. The plugin offers full, manual, or scheduled backup of the whole WordPress site (files, databases, plugins, and themes ) to any location from local drive to remote cloud storage such as OneDrive, DropBox, GoogleDrive, Amazon S3 storage, and many more just with one click.
Summary Of CVE-2022-0633:
According to the security researcher Marc Montpas, The CVE-2022-0633 vulnerability allows any logged-in user, just with subscriber-level access, to download the backups created by the UpdraftPlus plugin.
Research says that the plugin uses the parameters ‘nonce’ and ‘timestamps’ to identify the created backups. These parameters are created to validate the admin users properly and provide access to the backup files. The actual vulnerability exists in the improper implementation of the validation process, which failed to identify the admin users. This hole created a way for attackers to craft a malicious request to get access to information about the site’s latest backup to date and backup’s nonce.
Attackers will have access to WordPress configuration files, database files, media files, themes, and everything that backup file stores upon successful exploitation of this vulnerability. If an attacker manages to obtain credentials stored in the database, the attacker could take over the complete WordPress website.
This flaw puts more than 3 million websites at risk of stealing website backup files. You can imagine the potential of the flaw from its numbers. Please read the full details from here.
|Associated CVE ID||CVE-2022-0633|
|Description||An Authenticated Backup Download Vulnerability in UpdraftPlus WordPress Plugin|
|Associated ZDI ID||–|
|CVSS Score||8.5 High|
|Attack Vector (AV)||Network|
|Attack Complexity (AC)||Low|
|Privilege Required (PR)||Low|
|User Interaction (UI)||None|
UpdraftPlus Plugin Versions Affected By The CVE-2022-0633 Vulnerability:
All the versions of the UpdraftPlus plugins are from 1.16.7 to 1.22.2 are vulnerable to the flaw. It is good to take swift action to fix the CVE-2022-0633 Vulnerability.
How To Fix CVE-2022-0633- An Authenticated Backup Download Vulnerability In UpdraftPlus WordPress Plugin?
UpdraftPlus has released version 1.22.3 for patching the vulnerability. UpdraftPlus has pushed the forced auto-updates due to the severity of the issue. We urge you to verify the current version of the UpdraftPlus on your WordPress website and update the plugin to version 1.22.3 / 2.22.3 or later. You can find UpdraftPlus’s official advisory here.
How to upgrade the UpdraftPlus plugin in WordPress?
You don’t have to manually upgrade the plugin if you have enabled the auto-upgrade option. Follow the simple procedure to upgrade the plugin manually.
- Log in to the WordPress Admin page
- Select ‘Plugin’ option from the left-hand site options
- Upgrade the PluginSelect the ‘Enable auto-updates option to receive automatic updates. Or Click on the ‘Update Now’ option right below the plugin. However, the ‘Update Now’ option will only be available when the Plugin Author rolls out an update.
For a WordPress website, it is mandatory to keep all the plugins up to date. But, updating plugins are not enough to protect your WordPress website. We highly recommend taking the subscription of security solutions such as Jetpack and WordFence.
Both Jetpack and Wordfence will always work hard to protect your WordPress website from such threats and vulnerabilities. If you are using Jetpack on your website, we recommend subscribing to their Jetpack Security plan, covering malicious file scanning and backups. Suppose you have been using Wordfence Premium on your WordPress website. In that case, your website is protected from any exploits targeting this vulnerability as Wordfence already implemented the firewall rule on Feb 17, 2022, for Premium subscribers. Wordfence said that their free subscribers would receive this update after 30 days, on Mar 19, 2022.