According to Ars Technica, millions of WordPress sites have been forced to patch in the last few days. A vulnerability in UpdraftPlus, a popular plugin that allows users to create and restore website backups, is to blame.
The vulnerability would allow anyone with an account to download a website’s entire database, so UpdraftPlus developers requested the mandatory patch.
The bug was discovered by Jetpack security researcher Marc Montpas during a security audit of the plugin.
“This bug is pretty easy to exploit, with some very bad outcomes if it does get exploited,” he told Ars Technica. “It made it possible for low-privilege users to download a site’s backups, which include raw database backups.”
He reported the bug to UpdraftPlus developers on Tuesday last week; they fixed it the next day and began force-installing the patch shortly after. As of Thursday, 1.7 million sites had received it, out of a total user base of 3 million or more.
The main flaw was that UpdraftPlus failed to properly implement WordPress’s “hearbeat” function by checking to see if users had administrative privileges.
Another problem was a variable used to validate administrators that could be changed by untrusted users. In a blog post, Jetpack went into greater detail about how a hack might work.
Earlier this year, WordPress sites were breached, but it was done indirectly through a GoDaddy hack that exposed 1.2 million accounts.
If you’re using WordPress and the UpdraftPlus plugin, make sure the plugin has been updated to 1.22.4 or later on the free version, or 2.22.4 or higher on the premium app.