Severe bug in WP UpdraftPlus plugin

nzadam

Just got the below from UpdraftPlus for anyone that uses it.

https://teamupdraft.com/blog/important-security-update-for-updraftplus-and-updraftcentral-users/

Short Version

If you have UpdraftPlus or UpdraftCentral installed, then you should update them as soon as possible. This removes any problems. If you can’t update them now (e.g. due to an expired licence), then install the hotfix plugin that is linked below.

Longer version

With more powerful tools, security vulnerabilities are being discovered and shared with the world at an increasing rate. Whatever the consequences of this, any security vulnerabilities being identified and fixed are a good thing.

A security vulnerability affecting UpdraftPlus and UpdraftCentral has been identified by a researcher, and responsibly notified to us around 40 hours ago, and is fixed in a release made today.

This post is intended to explain the steps we’ve taken to keep your sites safe. We believe in prompt and transparent disclosure.

What was found - the vulnerability

Unfortunately, the vulnerability is a serious one, potentially allowing full site takeover. It affects only a small percentage of users (we estimate less than 10%), but for affected sites, bad actors could potentially take control of the site, and gain full access to all its contents.

Vulnerable versions

All versions of UpdraftPlus and UpdraftCentral from approximately the last 10-11 years are affected.

It is therefore essential to update whichever of UpdraftPlus and/or UpdraftCentral that you have installed (details of how are available below). Once you have updated your plugin, please take some time to make sure there are no unexpected new site administrators or plugins you didn’t expect to be present. You can also use a service like this one to scan your site for evidence of malicious activity (such a scan can’t tell you when or how that activity occurred).

We have no evidence of anyone attempting to exploit the vulnerability so far (we’ve checked over 200 sites since we were made aware of the vulnerability). We’re convinced there have not been any successful attacks, nor any attempted-but-unsuccessful attacks.

This is not a reason to avoid updating immediately. Now that an updated version has been released attackers can attempt to reverse-engineer the changes to try to deduce the problem.