A security researcher has discovered a severe vulnerability in WordPress plugin backup utility UpdraftPlus that could allow an attacker to potentially steal sensitive information from backups.
UpdraftPlus is a popular general-purpose backup and restore plugin for WordPress with over 3 million installations.
After security researcher Marc Montpas discovered and reported the vulnerability CVE-2022-23303, UpdraftPlus subsequently patched the plugin with version 1.22.3 on February 17, 2022.
“This vulnerability allows any logged-in user, including subscriber-level users, to download backups made with the plugin. Backups are a treasure trove of sensitive information, and frequently include configuration files which can be used to access the site database as well as the contents of the database itself,” Wordfence wrote in a blog post.
Wordfence also added an update to the previously published post that an attacker could “obtain a full log containing a backup nonce and timestamp at any time, making this vulnerability significantly more exploitable.”
Wordfence subsequently updated their firewall rule to help customers thwart potential attacks and data leaks.
WordPress users and administrators are highly encouraged to upgrade their UpdraftPlus plugin as soon as possible.