A new vulnerability has been discovered in the popular plugin UpdraftPlus. The plugin has more than 3 millon active installations currently and the vulnerability has a CVE identifier reserved as CVE-2022-23303. The developers behind updraftplus has made an announcement: “an update was pushed to Premium users within the hour”.
Marc-Alexandre Montpas the cyber security researcher who found the vulnerability said:
This bug is pretty easy to exploit, with some very bad outcomes if it does get exploited, It made it possible for low-privilege users to download a site’s backups, which include raw database backups. Low-privilege accounts could mean a lot of things. Regular subscribers, customers (on e-commerce sites, for example), etc.
If you haven’t received the forced update please upgrade to UpdraftPlus 1.22.3 (free version) / 2.22.3 (paid versions). But also 1.22.4 / 2.22.4 was released shortly after due to another non related bug.
We also recommend using WPSec to monitor your WordPress website or blog or security vulnerabilities.