WordPress Rolls Out Forced Update Against Vulnerability in UpdraftPlus Plugin
WordPress is forcibly rolling out an update to the popular backup plugin UpdraftPlus. Websites with the plugin were found to contain a vulnerability that allowed unauthorized users to download recent backups.
These are the mandatory UpdraftPlus updates 1.22.3 and 2.22.3 for users of the free and paid versions of the plug-in, respectively. After installation, it is no longer possible for unauthorized users to access backups, plug-in manager Jetpack describes in a blog post.
WordPress rarely forces an update, but due to the severity of the vulnerability, the update was installed to 3 million users within days, according to Bleeping Computer. Nevertheless, according to UpdraftPlus, due to the complicated process of obtaining a backup without authorization, no known hacks have been performed.
The vulnerability in UpdraftPlus allowed users to send a heartbeat request to a website, after which important data about recent backups could be obtained. A link could then be generated based on this data. This link instructed UpdraftPlus to send the affected backup via email to the unauthorized hacker.