Plugin Name: UpdraftPlus
- Software Type: Plugin
- Software Slug: updraftplus
- Software Status: Active
- Software Author: davidanderson
- Software Downloads: 107,410,188
- Active Installs: 3,000,000
- Last Updated: November 7, 2023
- Patched Versions: 1.23.11
- Affected Versions: <= 1.23.10
- Name: UpdraftPlus <= 1.23.10 - Cross-Site Request Forgery to Google Drive Storage Update
- Title: Cross-Site Request Forgery to Google Drive Storage Update
- Type: Cross-Site Request Forgery (CSRF)
- CVE: CVE-2023-5982
- CVSS Score: 5.4 (Medium)
- Publicly Published: November 7, 2023
- Researcher: Nicolas Decayeux
- Description: The UpdraftPlus: WordPress Backup & Migration Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.23.10. This is due to a lack of nonce validation and insufficient validation of the instance_id on the 'updraftmethod-googledrive-auth' action used to update Google Drive remote storage location. This makes it possible for unauthenticated attackers to modify the Google Drive location that backups are sent to via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This can make it possible for attackers to receive backups for a site which may contain sensitive information.
The UpdraftPlus for WordPress has a vulnerability in versions up to and including 1.23.10 that allows unauthenticated attackers to modify the Google Drive backup location via a forged request. This vulnerability has been patched in version 1.23.11.
The researcher Nicolas Decayeux discovered a cross-site request forgery (CSRF) vulnerability in the UpdraftPlus WordPress backup plugin. This affects all versions up to and including 1.23.10. The vulnerability is due to a lack of nonce validation and insufficient validation of the instance_id parameter in the 'updraftmethod-googledrive-auth' action used to update the Google Drive remote storage location.
An unauthenticated attacker could exploit this by tricking an administrator into clicking on a malicious link or visiting a compromised site. This would allow the attacker to send a forged request that modifies the Google Drive backup location to one controlled by the attacker. Successful exploitation means the attacker could potentially gain access to sensitive backups from the WordPress site.
The vulnerability has been patched by the developers in version 1.23.11. All users are strongly advised to update as soon as possible.
Advice for Users:
- Immediate Action: Update to version 1.23.11 or higher as soon as possible.
- Check for Signs of Vulnerability: Review your Google Drive backup locations for any unauthorized changes.
- Alternate Plugins: Consider alternate backup plugins like BackWPUp as a precaution.
- Stay Updated: Always keep plugins updated to avoid vulnerabilities.
This vulnerability demonstrates the importance of timely security updates for WordPress plugins. Users should install version 1.23.11 or later of UpdraftPlus immediately to protect their sites. Developers are recognized for their prompt resolution of the issue.
Keeping your WordPress website and its plugins up-to-date is one of the most important things you can do to maintain a secure online presence. Unfortunately, a recently disclosed vulnerability in a widely used backup plugin serves as an important reminder of the risks of outdated software. The developers of UpdraftPlus, which has over 3 million active installs, have patched a critical flaw that could have allowed attackers to access sensitive data from vulnerable sites. If you use this plugin, updating to the latest version should be a top priority. Even if you don’t use UpdraftPlus, this incident highlights the need for prompt security updates across all of your site's software. Don't let your hard work go to waste by neglecting basic security hygiene. If you have any concerns about vulnerabilities in your WordPress site, we're here to help ensure your site stays safe. Reach out and we'll provide a complimentary security review. The potential risks are too great to ignore.
UpdraftPlus is a popular WordPress backup and migration plugin with over 100 million downloads and 3 million active installs. The plugin allows easy automated backups to cloud storage services like Google Drive.
Researchers recently disclosed a critical cross-site request forgery (CSRF) vulnerability affecting UpdraftPlus versions up to and including 1.23.10. This vulnerability allows unauthenticated remote attackers to modify the configured Google Drive backup location by tricking an administrator into clicking a malicious link.
Successful exploitation of this vulnerability could let attackers gain access to sensitive WordPress backups containing database credentials, user information, and more. This presents a serious risk of data breach and site takeover.
UpdraftPlus developers have patched the vulnerability in version 1.23.11. All users should update immediately to mitigate the risk. You should also review your Google Drive to check for unauthorized backup location changes. As an added precaution, consider alternate backup plugins like BackWPUp until more details emerge.
This is the 14th vulnerability disclosed in UpdraftPlus since February 2015. The regularity of vulnerabilities demonstrates the critical importance of prompt updates for WordPress plugins. New threats emerge continually and plugins can become outdated quickly.
As a business owner, you don't have time to constantly monitor for WordPress vulnerabilities like this. At Your WP Guy, we become your outsourced IT team to handle security, updates, maintenance and support. Let us fully audit your site and plugins to assess any impact from this issue. We'll update everything to patched versions so you can rest easy knowing your site is locked down.
Focus on your business goals while we focus on your WordPress site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 for a free consultation on securing your online presence.