On Wednesday, the WordPress plug-in “UpdraftPlus” was patched to address a flaw that exposed critical backups, possibly revealing personal details and login credentials. 

UpdraftPlus is a backup service for WordPress documents, databases, plug-ins, and themes that enables users to backup, retrieve, and transfer all data. UpdraftPlus is utilized by over 3 million WordPress websites, including some from Microsoft, Cisco, and NASA, as per its site. 

the security engineer at Automattic Inc., WordPress’ parent company, provided a security flaw report revealing a “serious risk” on Monday, which has subsequently been branded CVE 2022-0633. The degree of the defect is assessed as Severe, at 8.5. 

The zero-day, as per a UpdraftPlus security alert released on Wednesday, permitted “any logged-in person on a WordPress installation with UpdraftPlus active to exercise the power of downloading an existing backup, a permission that should have been confined to administrator users exclusively.” 

Backups are one of the most vulnerable resources in an IT organization since they often include all types of user data, financial information, database setups – in short, almost everything of importance. 

This kind of information can eventually be used to launch much more sophisticated assaults. 

The process through which UpdraftPlus authenticated who was seeking backups was the main problem in this scenario. The assault begins with the WordPress heartbeat feature, according to IT Consultants. 

“The intruder must submit a specially designed heartbeat request with a data[updraftplus] argument,” they explained in a blog post on Thursday. “An invader can get entry to a backup log that contains a backup nonce and timestamp, which they may use to obtain a backup by supplying the necessary subparameters.”  

To exploit the insecure heartbeat function, the intruder will first have to gain access to the target website. This limits the threat to sites to insider attacks. 

The prominence of UpdraftPlus, along with the ease of this assault, is a powerful combination. 

CVE 2022-0633 is not a one-of-a-kind vulnerability. In recent months, security weaknesses in WordPress plug-ins have become the latest topic in website security. 

A cross-site scripting flaw in the WP HTML Mail plug-in compromised over 20,000 websites last month, and a verification weakness comparable to CVE 2022-0633 was identified in 3 distinct plug-ins serving a total of 84 thousand websites. On 18 last month, two big security events occurred: a 9.9 out of 10 rated weakness identified in the Ad Sanity plug-in, and a coordinated supply chain breach of 40 Access Press Themes and 53 plug-ins. 

WordPress weaknesses are really nothing uncommon, but they have increased since last year and don’t appear to be abating anytime in the near future. 

UpdraftPlus 1.22.3 (free) and 2.22.3 (premium) were launched on Wednesday (paid). WordPress administrators who have compromised sites should upgrade as soon as feasible.