WordPress Plugin Vulnerability Report – UpdraftPlus – Cross-Site Request Forgery to Google Drive Storage Update – CVE-2023-5982

Q: What exactly is the vulnerability in UpdraftPlus?

What exactly is the vulnerability in UpdraftPlus? The vulnerability is a cross-site request forgery (CSRF) issue affecting UpdraftPlus versions up to and including 1.23.10. Due to insufficient validation, an attacker can modify the configured Google Drive backup location by tricking an admin into clicking a malicious link. This could let the attacker gain access to sensitive WordPress backups.

Q: How can this vulnerability be exploited?

How can this vulnerability be exploited? The vulnerability can be exploited without authentication. An attacker just needs to trick an admin into clicking a link, visiting a compromised site, opening an email, etc. This would send a forged request that changes the Google Drive backup location to one the attacker controls. They could then access any new backups.

Q: What information is at risk from this vulnerability?

What information is at risk from this vulnerability? Exploitation of this vulnerability can expose WordPress backups stored on Google Drive. These may contain sensitive data like database credentials, user details, unpublished content, and more. This presents risks of data breach, account takeover, blackmail, and other issues.

Q: I use UpdraftPlus. What should I do?

I use UpdraftPlus. What should I do? All UpdraftPlus users should update to version 1.23.11 immediately. You should also check your Google Drive backup settings for any unauthorized location changes. Consider alternate backup plugins as a precaution until more details emerge.

Q: How can I prevent this in the future?

How can I prevent this in the future? Promptly updating plugins when new versions are released is crucial. Consider automatic background updates where possible. Limit plugins to only what's essential and avoid outdated or insecure options. Schedule regular security reviews to catch issues early.

Q: Are other plugins affected?

Are other plugins affected? This specific vulnerability only affects UpdraftPlus. However, vulnerabilities are discovered frequently in WordPress plugins. Maintaining updates across all plugins is important to stay secure.

Q: Is there a risk even if I'm not using Google Drive backup?

Is there a risk even if I'm not using Google Drive backup? Yes, this vulnerability affects all UpdraftPlus versions up to 1.23.10 regardless of storage service. Other cloud services could also potentially be manipulated if you are using them. Updating is strongly recommended.

Q: Should I switch backup plugins?

Should I switch backup plugins? UpdraftPlus is still a recommended plugin after updating. But considering alternate options like BackWPUp can add redundancy until more details emerge. Only use reputable maintained plugins.

Q: What's the level of risk if I don't update?

What's the level of risk if I don't update? The risk is high. This vulnerability allows access to sensitive backups remotely. Leaving your site on an affected version makes your data vulnerable to compromise, especially if you use cloud backups.

Q: Why do vulnerabilities happen in popular plugins?

Why do vulnerabilities happen in popular plugins? Software has bugs, and threats evolve quickly. Open source projects often lack resources for extensive security audits and testing. Vulnerabilities are inevitable but can be mitigated by updating promptly when discovered.

By Your WP Guy | November 7, 2023

Plugin Name: UpdraftPlus

Key Information:

Software Type: Plugin
Software Slug: updraftplus
Software Status: Active
Software Author: davidanderson
Software Downloads: 107,410,188
Active Installs: 3,000,000
Last Updated: November 7, 2023
Patched Versions: 1.23.11
Affected Versions: <= 1.23.10

Vulnerability Details:

Name: UpdraftPlus <= 1.23.10 - Cross-Site Request Forgery to Google Drive Storage Update
Title: Cross-Site Request Forgery to Google Drive Storage Update
Type: Cross-Site Request Forgery (CSRF)
CVE: CVE-2023-5982
CVSS Score: 5.4 (Medium)
Publicly Published: November 7, 2023
Researcher: Nicolas Decayeux
Description: The UpdraftPlus: WordPress Backup & Migration Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.23.10. This is due to a lack of nonce validation and insufficient validation of the instance_id on the 'updraftmethod-googledrive-auth' action used to update Google Drive remote storage location. This makes it possible for unauthenticated attackers to modify the Google Drive location that backups are sent to via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This can make it possible for attackers to receive backups for a site which may contain sensitive information.

Summary:

The UpdraftPlus for WordPress has a vulnerability in versions up to and including 1.23.10 that allows unauthenticated attackers to modify the Google Drive backup location via a forged request. This vulnerability has been patched in version 1.23.11.

Detailed Overview:

The researcher Nicolas Decayeux discovered a cross-site request forgery (CSRF) vulnerability in the UpdraftPlus WordPress backup plugin. This affects all versions up to and including 1.23.10. The vulnerability is due to a lack of nonce validation and insufficient validation of the instance_id parameter in the 'updraftmethod-googledrive-auth' action used to update the Google Drive remote storage location.

An unauthenticated attacker could exploit this by tricking an administrator into clicking on a malicious link or visiting a compromised site. This would allow the attacker to send a forged request that modifies the Google Drive backup location to one controlled by the attacker. Successful exploitation means the attacker could potentially gain access to sensitive backups from the WordPress site.

The vulnerability has been patched by the developers in version 1.23.11. All users are strongly advised to update as soon as possible.

Advice for Users:

Immediate Action: Update to version 1.23.11 or higher as soon as possible.
Check for Signs of Vulnerability: Review your Google Drive backup locations for any unauthorized changes.
Alternate Plugins: Consider alternate backup plugins like BackWPUp as a precaution.
Stay Updated: Always keep plugins updated to avoid vulnerabilities.

Conclusion:

This vulnerability demonstrates the importance of timely security updates for WordPress plugins. Users should install version 1.23.11 or later of UpdraftPlus immediately to protect their sites. Developers are recognized for their prompt resolution of the issue.

References:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/updraftplus

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/updraftplus/updraftplus-12310-cross-site-request-forgery-to-google-drive-storage-update

Detailed Report:

Keeping your WordPress website and its plugins up-to-date is one of the most important things you can do to maintain a secure online presence. Unfortunately, a recently disclosed vulnerability in a widely used backup plugin serves as an important reminder of the risks of outdated software. The developers of UpdraftPlus, which has over 3 million active installs, have patched a critical flaw that could have allowed attackers to access sensitive data from vulnerable sites. If you use this plugin, updating to the latest version should be a top priority. Even if you don’t use UpdraftPlus, this incident highlights the need for prompt security updates across all of your site's software. Don't let your hard work go to waste by neglecting basic security hygiene. If you have any concerns about vulnerabilities in your WordPress site, we're here to help ensure your site stays safe. Reach out and we'll provide a complimentary security review. The potential risks are too great to ignore.

UpdraftPlus is a popular WordPress backup and migration plugin with over 100 million downloads and 3 million active installs. The plugin allows easy automated backups to cloud storage services like Google Drive.

Researchers recently disclosed a critical cross-site request forgery (CSRF) vulnerability affecting UpdraftPlus versions up to and including 1.23.10. This vulnerability allows unauthenticated remote attackers to modify the configured Google Drive backup location by tricking an administrator into clicking a malicious link.

Successful exploitation of this vulnerability could let attackers gain access to sensitive WordPress backups containing database credentials, user information, and more. This presents a serious risk of data breach and site takeover.

UpdraftPlus developers have patched the vulnerability in version 1.23.11. All users should update immediately to mitigate the risk. You should also review your Google Drive to check for unauthorized backup location changes. As an added precaution, consider alternate backup plugins like BackWPUp until more details emerge.

This is the 14th vulnerability disclosed in UpdraftPlus since February 2015. The regularity of vulnerabilities demonstrates the critical importance of prompt updates for WordPress plugins. New threats emerge continually and plugins can become outdated quickly.

As a business owner, you don't have time to constantly monitor for WordPress vulnerabilities like this. At Your WP Guy, we become your outsourced IT team to handle security, updates, maintenance and support. Let us fully audit your site and plugins to assess any impact from this issue. We'll update everything to patched versions so you can rest easy knowing your site is locked down.

Focus on your business goals while we focus on your WordPress site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 for a free consultation on securing your online presence.