Millions of WordPress sites have received a forced patch over the past few days, Ars Technica has reported. The reason is a vulnerability in UpdraftPlus, a popular plugin that allows users to create and restore website backups. UpdraftPlus developers requested the mandatory patch, as the vulnerability would allow anyone with an account to download a website's entire database.
The bug was discovered by Jetpack security researcher Marc Montpas during a security audit of the plugin. "This bug is pretty easy to exploit, with some very bad outcomes if it does get exploited," he told Ars Technica. "It made it possible for low-privilege users to download a site's backups, which include raw database backups."
He told UpdraftPlus developers about the bug on Tuesday last week, they fixed it a day later and started force-installing the patch shortly after that. 1.7 million sites had received it as of Thursday, out of 3 million-plus users.
The main flaw was that UpdraftPlus didn't correctly implement WordPress's "hearbeat' function by properly checking to see if users had administrative privileges. Another issue was a variable used to validate admins that could be modified by untrusted users. Jetpack provided more details about how a hack could work in a blog post.
WordPress was previously breached earlier this year, but it was done indirectly via a GoDaddy hack that exposed 1.2 million accounts. If you're running WordPress with the UpdraftPlus plugin, you should definitely confirm that the plugin updated automatically to 1.22.4 or later on the free version, or 2.22.4 and up on the premium app.