Skip to main content

WordPress plugin vulnerability exposed millions of websites to attack

WordPress 5.9 Beta 1
(Image credit: WordPress)
Audio player loading…

A popular backup WordPress plugin (opens in new tab) with more than three million users has recently patched up a vulnerability that allowed threat actors access to passwords, identity information, and other sensitive data.

As reported by WordFence security analysts, researcher Marc Montpas discovered a vulnerability in UpdraftPlus, a backup, restore and clone plugin for WordPress (opens in new tab).

UpdraftPlus has a feature that allows users to send a download link to the backup, via email, to an address designated by the site’s owner. However, this feature has been implemented poorly, the researcher has found, and allows pretty much anyone, even subscriber-level users, to create a valid link that would allow them to download backup files.

TechRadar needs yo...

We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.

>> Click here to start the survey in a new window (opens in new tab) <<

Patch immediately

To exploit the vulnerability, however, the attacker would need to have an active account on the target system, the researchers further explain, concluding that such an attack would need to be targeted. The potential consequences are described as “severe”, which is why the researchers are using all UpdraftPlus users to update their plugins immediately.

The patched up version is 1.22.3.

WordPress plugins often come with critical flaws that could allow attackers full website takeover. Just a few weeks ago, a popular WordPress plugin used by more than a million websites was found to be carrying a critical remote code execution (RCE) flaw

Another vulnerability was also recently discovered in the “WordPress Email Template Designer - WP HTML Mail”, plugin, which allowed for an unauthenticated attacker to inject malicious JavaScript that would run whenever a site admin accesses the template editor, while in late October 2021, researchers discovered a flaw in the Hashthemes Demo Importer plugins that could be exploited to completely wipe and reset any vulnerable WordPress website (opens in new tab).

WordPress Email Template Designer - WP HTML Mail is used by 20,000 websites, while Hashthemes Demo Importer plugins count more than 8,000 users.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.