Researchers from the Wordfence Threat Intelligence team identified a new vulnerability in the UpdraftPlus plugin for WordPress websites. The plugin has over three million downloads. The issue with the plugin is that it could allow a user of the website, even at the lowest subscriber level, to download backups made with the plugin. Backup data typically contains a trove of information, including some that can be sensitive. The main purpose of the plugin is to be used by administrators to backup data on their on their websites, so it came as no surprise to researchers when they identified that the issue allowed anyone to access the data. A patch has been released for this plugin, and the most current version is 1.22.3.
Analyst Notes
Since a patch has been released for this issue, websites running an older version of UpdraftPlus should be updated to the most recent version as soon as possible. The consequence of an attacker using this vulnerability to gain backup data files is as severe as any other data breach, and it can be expected that the data would be used the same way depending on the website and how sensitive the information is that the website stores.
https://www.zdnet.com/article/vulnerability-found-in-wordpress-plugin-with-over-3-million-installations/
