Updraftplus is a plugin used by most WordPress sites for backing up the data. This plugin is used by almost three million people worldwide. Previously, it was reported that this plugin was vulnerable to authenticated backup download vulnerability, where an attacker can guess the timestamp of the backup and exploit it during the backup time.
Updraftplus released patches to fix the vulnerability by the time it surfaced. Most companies use the backup option as a safety measure. Backups can be considered as an ocean of information that might even contain security credentials that can expose sensitive databases.
Companies usually prevent it from going to the public. However, Recently it was found that obtaining information about the time of backup and timestamp can be obtained relatively easier making this vulnerability more exploitable.
Marc Montpas, a security researcher recently reported that any logged-in user including subscriber-level users can download the backup data made with this plugin. If an attacker has the backup nonce, he can exploit this vulnerability and can download any backup data with an email being sent to his link through the “maybe_download_backup_from_email” option.
When the [UpdraftPlus_Options::admin_page() === $pagenow– check is performed, the option is being fooled by the attacker. The $pagenow feature is redirected to the options-general.php page which cannot be accessed by external entities. Hence attackers create a specially crafted request for exploitation.
The researcher also found that the wp-admin/admin-post.php/%0A/wp-admin/options-general.php?page=updraftplus the $pagenow variable is fooled and the page is redirected to the admin-post.php website. Finally, since all the backups are indexed by timestamp, the attacker either brute force the timestamp or exploits the unauthenticated download vulnerability to extract data about the database or backup log.
Vulnerability Details
Description: Authenticated Backup Download
Affected Plugin: UpdraftPlus
Plugin Slug: updraftplus
Plugin Developer: UpdraftPlus[.]Com
Affected Versions: 1.16.7 – 1.22.2
CVE ID: CVE-2022-0633
CVSS Score: 8.5(High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Researcher/s: Marc Montpass
Fully Patched Version: 1.22.3
Users of updraftplus are advised to update to the latest version since this vulnerability can lead to exposure of a lot of sensitive information if it is exploited by an attacker. Successful exploitation of this vulnerability can even result in a site takeover.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates.
