Short version: if you’re not using UpdraftPlus Premium, and have not bought the “Automatic backups” or “No adverts” add-ons, and if untrusted people can log in to your WordPress site (e.g. as subscribers), then you should update to UpdraftPlus 1.9.51 immediately. And for everyone else, there’s no harm in updating, and we recommend it anyway.
The crack security researches at Sucuri have pro-actively informed us, just over 12 hours ago, via responsible disclosure (thank you!) of a defect in versions of UpdraftPlus before the just-released version 1.9.51. The details follow.
Who’s not affected
If your WordPress site does not have any untrusted users who can log in (i.e. the only people who can login are trusted), then you are not affected. If you do have such users, but deploy a solution to prevent non-trusted users (e.g. non-admins) from accessing the WordPress dashboard, then you are not affected.
If you have dismissed the notice about automatic backups from the “Updates” page on your WordPress dashboard, then you are not affected for the period of time (12 weeks) that the notice is dismissed.
Who is affected
If you have the free version of UpdraftPlus, and have not bought the stand-alone “Automatic backups” or “No adverts” add-ons, and if untrusted users can log in to your site (e.g. as a subscriber) and access the WordPress dashboard, then you are affected.
If you are affected, then a malicious user can, using a specially crafted URL (i.e. web address), cause the WordPress dashboard to “leak” a security token used by UpdraftPlus to identify site administrators with permission to access the UpdraftPlus settings page.
Using this token (which WordPress calls a “nonce”), the malicious user can craft further URLs to access information from the UpdraftPlus settings page, in order to gain further access. For example, they can potentially read your UpdraftPlus settings (including access tokens for your Dropbox UpdraftPlus folder, for example, if you use Dropbox; or for your Drive files if you use Google Drive), download backups, and delete them. Depending on what other components (plugins, themes) are installed on your site, they may be able to take advantage of them to perform other malicious actions. On a default WordPress install, Sucuri demonstrated that it is possible to upload an unwanted file to the WordPress media library (but not one that can be run as PHP code – i.e. not one that can take over the site).
How did this happen?
The type of vulnerability is from a class which Sucuri have been researching and publishing about on their excellent blog in recent months. UpdraftPlus failed to realise that a logged-in non-admin user can visit a specially-crafted URL which he would not normally be able to see via clicking around the dashboard, and failed to check the user’s credentials before displaying a control that a non-admin user would not normally see. (This particular control is the notice about the capability for automatic backups, on the WordPress updates page, with the ability to dismiss that message). Ironically, the particular class of problems that Sucuri have drawn attention to only occurs when the plugin is trying to follow WordPress security standards, by making sure that operations are protected by security tokens (nonces). By inadvertently including the token in the page to a non-authorised user, a malicious user can then attempt to deploy that token to access other plugin functions that he would not normally have access to. And so, a simple “dismiss this notice” link can become the gateway to accessing other, much more significant, functions.
We’re somewhat depressed to say that we keenly follow Sucuri’s blog, had read and appreciated their research on similar issues in other plugins, and gone over UpdraftPlus more than once to audit whether we could find a vulnerability of this type. But, only one weak in a chain needs to be weak to weaken the whole chain – and we missed one.
How has this been fixed in UpdraftPlus 1.9.51?
The just-released UpdraftPlus 1.9.51 adds extra permission checks in two places: firstly, in the specific situation where the problematic token is leaked, so that it can no longer leak; and secondly, when that token is presented again, it is not accepted as sufficient, but the user’s access level is double-checked. This second level of protection will make future attacks of the same type impossible, even if a token does leak.
Do I need to update to UpdraftPlus 1.9.51?
This is explained above – but we recommend that everybody updates anyway. UpdraftPlus 1.9.51 is the same as the previous release (1.9.50), with these extra checks.
Is anyone taking advantage of this problem yet?
As far as we know, nobody is yet taking advantage of this problem in previous versions of UpdraftPlus. The problem was found by responsible security researchers, and a new, fixed release of UpdraftPlus was made 12 hours (in which time we verified the problem and tested a solution).
Is there anything else I should do?
It is theoretically possible that a malicious user on your website could, if they had somehow known about this problem, theoretically gained access to settings on your UpdraftPlus settings page – e.g. passwords for other services (e.g. FTP, Amazon S3 keys). You may wish to consider resetting these credentials. (Note that in the case of Dropbox, the Dropbox token can only access your UpdraftPlus app folder; and similarly, an Amazon S3 key can only access the buckets that any security policy you set for it allows).
Anything else to say?
We are very, very sorry for any inconvenience caused with the need to quickly update. We have sought to be pro-active in making UpdraftPlus secure, but this one slipped through multiple internal reviews. (You might have spotted my name on the WordPress 4.0.1 security release announcement – I found a minor security hole that got reported and patched for that version).
We hope that our swift action in making an updated immediately available, and full disclosure, will help to retain your trust in UpdraftPlus. Complex computer software, like WordPress and UpdraftPlus, will unfortunately always have unwanted security issues (our main rival had a vastly more serious breach towards the end of 2014) but all anyone can do when they happen is respond quickly. We have exciting things planned for 2015, and hope you will stay with us.
Finally, thanks again to the researchers at Sucuri for their responsible disclosure.
David Anderson (founder, lead developer, UpdraftPlus)