Database leak in WordPress-supplement UpdraftPlus, numbering 3 million installations

in WordPress add-on UpdraftPlus , having more than 3 million active settings, detected Dangerous Vulnerability (CVE-2022-0633), which allows a third-party user to download a copy of the site database, in Which besides the content contains the parameters of all users and hash passwords. Problem Eliminated in Editions 1.22.3 and 2.22.3, which It is recommended to install all users of UpdraftPlus as soon as possible.

UpdraftPlus is presented as the most popular addition to creating backups sites running the WordPress platform. Due to incorrect access verification, the addition made it possible to download a backup of the site and the database associated with it not only to administrators, but also any user registered on the site, for example, having a subscriber status.

To download backups in UpdraftPlus, an identifier generated based on the backup time and random sequence (NONCE) time is used. The problem is that due to the lack of proper checks in the WordPress HeartBeat Query handler, with the help of a specially decorated query, any user can receive information about the last backup, which, among other things, includes information about the time and tied random sequence.

Next, on the basis of the information received, you can form an identifier and download a backup by using the email boot method. The MAYBE_DOWNLOAD_BACKUP_FROM_EMAIL used at this method requires access to the Options-General.php page available only to the administrator. Nevertheless, the attacker can bypass this restriction through the spoofing used when checking the $ PageNow variable and send a request through the service page that allows you to circulate from unprivileged users. For example, you can contact the administrator’s message sending a request “WP-admin / admin-post.php /% 0a / WP-Admin / Options-General.php? Page = UpdraftPlus”.

/Media reports.