Security researcher at Automattic discovered a vulnerability affecting popular WordPress backup plugin, UpdraftPlus. The vulnerability allowed hackers to download user names and hashed passwords. Automattic calls it a “severe vulnerability.”
UpdraftPlus WordPress Backup Plugin
UpdraftPlus is a popular WordPress backup plugin that’s actively installed in over 3 million websites.
The plugin allows WordPress administrators to backup their WordPress installations, including the entire database which contains user credentials, passwords and other sensitive information.
Publishers rely on UpdraftPlus to adhere to the highest standards of security in their plugin because of how sensitive the data is that’s backed up with the plugin.
UpdraftPlus Vulnerability
The vulnerability was discovered by an audit conducted by a security researcher at Automattic’s Jetpack.
They discovered two previously unknown vulnerabilities.
The first was related to how UpdraftPlus security tokens called, nonces, could be leaked. This allowed an attacker to obtain the backup, including the nonce.
According to WordPress, nonces are not supposed to be the main line of defense against hackers. It explicitly states that functions should be protected by properly validating who has the proper credentials (by using the function called current_user_can()).