Last week, security researchers at Sucuri (their advisory is here) discovered a security defect affecting a large number of WordPress plugins – including UpdraftPlus in versions before our current release (1.9.64 for the free version, 2.9.64 for the paid version).
Because many plugins were affected, news of this defect has been under wraps until now, whilst Sucuri searched for more affected plugins. Announcing at the same time means that hackers who spot the announcement in one plugin can’t go and search for it in other plugins that haven’t yet made updates available.
The defect is an “XSS” vulnerability (Wikipedia link). This means that it is possible for a hacker to inject unwanted content in your website. What kind of content, and who it can affect, depends on the details of the plugin itself and how it works.
In UpdraftPlus, the danger is as follows: an attacker would need to a) send you a specially crafted link, and b) persuade you to click on it, on a computer on which you are also logged in to the WordPress dashboard on your site, with admin privileges. If you clicked on that link, then the attacker could run code in your dashboard page one time (i.e. not persistent – it won’t remain in your dashboard), performing UpdraftPlus administrative actions (e.g. download a backup, run a backup, delete a backup). We do not believe that there is a way for an attacker to upload and restore their own backup. (i.e. They cannot modify your site through injecting and restoring their own backups).
For clarity: since UpdraftPlus never has any cause, and hence has no code, to display anything on the front-end of your website, it is not possible for this defect to result in code being shown to visitors to your website. Logged-in users who do not have administrative access to the UpdraftPlus dashboard also have no way of being affected.
Other plugins will be affected in other ways. The above description does not describe what the risks may be through other affected plugins. To check all 40,000-ish WordPress plugins would be impossible (plugin authors will have to check themselves), but Sucuri have been auditing many popular plugins, and at least these plugins are known to be vulnerable:
- WordPress SEO
- All In One SEO
- Gravity Forms
- Easy Digital Downloads
- Download Monitor
- P3 Profiler
- Ithemes Exchange
- Two Factor Authentication
- Broken Link Checker
You should immediately check that all of these plugins have been updated to the latest version.How has this vulnerability affected so many plugins? Basically, it was easy to do. The WordPress coding manual, for a particular function, included an example of its use that was vulnerable. If you used the function in a way like the example suggested, then you’d introduce a security vulnerability into your plugin. The page has now been corrected to give specific guidance on the potential pitfall, and showing secure examples instead. Sucuri, who realised the mistake, set about looking for plugins that were using the function in the way previously suggested.This defect is fixed in UpdraftPlus 1.9.64 (free users) and 2.9.64 (paying users). So, if your version number is below that, then please update. Many free users will find that they are already updated – wordpress.org has been pushing out instructions to sites to automatically update. So don’t be surprised if you’re already on a safe version!
David Anderson (founder, lead developer, UpdraftPlus)