Vulnerability in UpdraftPlus Allowed Subscribers to Download Sensitive Backups

WordFence - 

On February 17, 2022, UpdraftPlus, a WordPress plugin with over 3 million installations, updated with a security fix for a vulnerability discovered by security researcher Marc Montpas. This vulnerability allowed any logged-in user, including subscriber-level users, to download backups made with the plugin. Backups are a treasure trove of sensitive information, and frequently include configuration files which can be used to access the site database as well as the contents of the database itself.

As with all newly reported vulnerabilities, the Wordfence Threat Intelligence team examined the patch and was able to create a proof of concept. In addition, we released a firewall rule to block any attackers trying to exploit this vulnerability. Wordfence Premium, Care, and Response customers received this rule today, February 17, 2022, while Wordfence Free users will receive this rule after 30 days on March 19, 2022.

This vulnerability was patched in version 1.22.3 of UpdraftPlus, and as such we strongly encourage you to verify that your site is running the most up to date version of the plugin and updating immediately if it is not.

Description: Authenticated Backup Download
Affected Plugin: UpdraftPlus
Plugin Slug: updraftplus
Plugin Developer: UpdraftPlus.Com
Affected Versions: 1.16.7 – 1.22.2
CVE ID:

Read More: https://www.wordfence.com/blog/2022/02/vulnerability-in-updraftplus-allowed-subscribers-to-download-sensitive-backups/