WordPress plugin can impact more than 3M installation

The new WordPress plugin “UpdraftPlus” came up with the vulnerability. This allows the hackers to download user names and passwords. It puts the resources at risk. The Automattic are calling it a “severe vulnerability”.

UpdraftPlus is one of the popular WordPress plugins. It has active usage over 3 million websites. This plugin also features the administrators to backup their WordPress installation. It was such an excellent plugin, enabling to backup of the entire database. The database can also feature credentials, passwords, and other information.

Publishers relied on this WordPress plugin. It also featured a high-security standard safeguarding sensitive data. Security researchers at Automattic Jetpack identified the vulnerability.

They also came up with the other two vulnerabilities. UpdraftPlus security tokens named “nonces” hold the potential to get leaked. An attacker can make the backup. To which WordPress gave defense on that issue. Nonces were also never meant for the first line of defense against the hacker.

WordPress also explained the first vulnerability, “Nonces should never be relied on for authentication, authorization, or access control. Protect your functions using current_user_can(), and always assume nonces can be compromised.”

The second vulnerability was the improper validation of the registered user’s role. WordPress developers to take steps to lock down plugins. The improper validation also allows the open-source download of any backup. It put out all the sensitive information at threat.

The United States Government National Vulnerability database showed concern. It cautions the use of UpdraftPlus. Also, it doesn’t confirm user experience and restrains the right privileges.

The vulnerability is severe. Also, ignoring the vulnerability, WordPress forced the automatic updates. The installations are not the latest version.

The latest UpdraftPlus free version is going to have the premium versions. They are more vulnerable to the attack. The free version 1.22.3 and the UpdraftPlus premium versions are also vulnerable to attack. Publishers are at their own risk to go ahead with these versions.