Critical Vulnerability Found in Popular WordPress Backup Plugin: UpdraftPlus

A high-severity vulnerability has been discovered in the widely used UpdraftPlus: WP Backup & Migration Plugin, which is currently installed on over 3 million WordPress sites. Rated 8.8 out of 10 on the CVSS (Common Vulnerability Scoring System), this flaw poses a significant security risk by allowing unauthenticated attackers to exploit the plugin's functionality.

What Is UpdraftPlus?

UpdraftPlus is one of the most popular WordPress backup plugins, offering both free and premium versions. The plugin enables users to:

• Perform manual or scheduled backups.
• Store backups on various cloud storage services (e.g., Google Drive, Dropbox, or Amazon S3).
• Email backups for additional security.
• Easily migrate websites between servers.

Its robust features make it a critical tool for website owners, as it helps recover from catastrophic server failures and facilitates server migrations. However, the recent vulnerability underscores the importance of keeping such essential plugins up to date.

Details of the Vulnerability

According to Wordfence, the vulnerability stems from PHP Object Injection, caused by the deserialization of untrusted input in the plugin's recursive_unserialized_replace function. Here’s what that means in practical terms:

1. Attack Vector: Unauthenticated attackers can inject a PHP Object into the system.
2. Potential Damage:
   • If a POP (Property-Oriented Programming) chain exists through another plugin or theme on the same site, attackers could:
     • Delete arbitrary files.
     • Access sensitive data.
     • Execute malicious code.
3. Trigger Mechanism: The exploit requires an administrator to perform a search and replace action, which activates the vulnerability.

While there is no known POP chain directly within UpdraftPlus, the risk increases if vulnerable third-party plugins or themes are also installed.

How Was This Vulnerability Addressed?

The developers of UpdraftPlus released version 1.24.12, which patches the vulnerability. However, the official changelog downplayed the severity, referring to it as a mere “tweak”:

Changelog Excerpt:
“TWEAK: Complete the review and removal of calls to the unserialize() PHP function allowing class instantiation begun in 1.24.7. (The final removal involved a theoretical security defect, if your development site allowed an attacker to post content to it which you migrated to another site, and which contained customised code that could perform destructive actions which the attacker knew about, prior to you then cloning the site.)”

The description suggests the issue is a theoretical edge case, but the Wordfence advisory classifies it as a serious vulnerability, warranting immediate attention.

What Should You Do?

Action Steps for Site Owners:

1. Update Immediately: If you're using UpdraftPlus, upgrade to version 1.24.12 or higher. All previous versions are vulnerable.
2. Audit Your Site:
   • Review other plugins and themes installed on your website to ensure they are also up to date.
   • Check for additional vulnerabilities that could form a POP chain, increasing the risk of exploitation.
3. Enable Auto-Updates: Consider enabling automatic updates for critical plugins like backup tools to ensure timely protection against security flaws.
4. Backup Safely: Although ironic, always maintain regular backups to protect your site in case of future incidents.

For Developers and Security Teams:

• If managing multiple WordPress installations, automate plugin updates using tools like WP-CLI or managed hosting platforms.
• Monitor logs and conduct regular security scans to detect unusual activity.

Why This Matters

Backup plugins are a cornerstone of website management and recovery strategies, making them prime targets for attackers. The UpdraftPlus vulnerability serves as a reminder of the importance of plugin security. Keeping plugins up to date, auditing for unused or outdated software, and being vigilant about advisories are essential practices for safeguarding WordPress sites.

For more details, consult the official advisory by Wordfence:
UpdraftPlus: WP Backup & Migration Plugin <= 1.24.11 – Unauthenticated PHP Object Injection.

Stay proactive, and protect your website!