The WordPress plug-in “UpdraftPlus” was patched on Wednesday to correct a vulnerability that left sensitive backups at risk, potentially exposing personal information and authentication data.
UpdraftPlus is a tool for creating, restoring and migrating backups for WordPress files, databases, plug-ins and themes. According to its website, UpdraftPlus is used by more than three million WordPress websites, including those from organizations like Microsoft, Cisco and NASA.
On Monday, Marc-Alexandre Montpas – security engineer at Automattic Inc., WordPress’ parent company – submitted a security defect report detailing a “severe vulnerability” that’s since been labeled CVE 2022-0633. The flaw’s severity rating is listed as High, at 8.5.
According to a security bulletin posted by UpdraftPlus on Wednesday, the zero day allowed “any logged-in user on a WordPress installation with UpdraftPlus active to exercise the privilege of downloading an existing backup, a privilege which should have been restricted to administrative users only.”
Backups are among the most sensitive assets in an IT environment, as they usually contain all kinds of user data, financial data, database configurations – really, anything and everything of value.
Some of this data can later be leveraged towards even more advanced attacks.
“Access to the backups and database will likely first be used for credential theft,” John Bambenek, principal threat hunter at Netenrich, told Threatpost via email on Thursday, “but there are many possibilities for attackers to take advantage of the information.”
The fundamental flaw in this case was the mechanism by which UpdraftPlus validated who was requesting backups. As outlined by WordPress security analysts at Wordfence,the attack starts with the WordPress heartbeat function.
“The attacker needs to send a specially crafted heartbeat request containing a data[updraftplus] parameter,” they said in a Thursday writeup. “By supplying the appropriate subparameters, an attacker is able to obtain a backup log containing a backup nonce and timestamp which they can then use to download a backup.”
Crucially, the attacker would already need access to the target site in order to leverage the vulnerable heartbeat function. This reduces the risk to websites to only insider threats.
The popularity of UpdraftPlus, combined with the simplicity of this attack, are a potent combination.
And as Bud Broomhead, CEO at Viakoo, remarked via email to Threatpost on Thursday, “there is always a delay between finding a vulnerability and applying the security fix. This is a case for making all users (paid or not) receive security patches for high-severity vulnerabilities such as this.”
Part of a Much Broader Trend
CVE 2022-0633 is hardly unique. Security flaws in WordPress plug-ins have become the dernier cri in web security in recent months.
In January, a cross-site scripting bug in the WP HTML Mail plug-in exposed over 20,000 sites, and an authentication vulnerability similar to CVE 2022-0633 was discovered in three different plug-ins servicing a combined 84 thousand sites. On Jan. 18 alone, two major security incidents broke: a 9.9 out of 10-rated vulnerability discovered in the AdSanity plug-in, and a coordinated supply chain compromise of 40 themes and 53 plug-ins belonging to AccessPress Themes.
WordPress vulnerabilities are nothing new, but they more than doubled in 2021 and don’t seem to be slowing down any time soon.
As Broomhead noted, “exploits in widely used plugins or components (e.g. similar to Log4j, or recent open source vulnerabilities) have a harsh reality; it’s up to each and every end user to take action to prevent the vulnerability from being exploited against them.”
On Wednesday, UpdraftPlus released its patched versions 1.22.3 (free) and 2.22.3 (paid). Administrators for vulnerable WordPress websites should update as soon as possible.