Short version: A security risk identified in UpdraftPlus has been resolved in 1.23.3 (free version) / 2.23.3 (paid versions); you should update to the latest version straight away, and then all will be well.
Who is vulnerable?
The great majority of sites are not vulnerable (but you should update anyway). If your site has untrusted non-admin users who can sign in to your WordPress back-end (i.e. the “wp-admin” dashboard) and you are using an UpdraftPlus version from 1.22.14 to 1.23.2 (free) or 2.22.14 to 2.23.2 (paid) then given sufficient, advanced technical skills, these users have the capability to gain the powers of admins (or on WordPress multisite installs, super-admins). Updating will immediately close this loophole.
If untrusted people can sign up but cannot reach the WordPress back-end dashboard (i.e. at /wp-admin), then you are also not vulnerable (e.g. if you are using WooCommerce, customers in your shop get a WordPress account, but WooCommerce does not allow them to visit the back-end dashboard).
You are not vulnerable to this problem if your version of UpdraftPlus is not in the above range – but we recommend you update as we only support current plugin versions.
Experience with security issues (with which I have worked for over 20 years in different contexts) shows that even thorough analysis can overlook something. So please, update UpdraftPlus on your website.
How the problem was discovered:
First credit belongs to pluginvulnerabilities.com, who notified us of a missing permissions check in our code. At this stage it was known only to be a harmless omission. We then investigated internally if there were any pathways for this missing check to be leveraged to perform further unauthorised operations, and found that this was in fact the case in the scenarios described above.
When and how the problem was introduced:
The issue was introduced in a release of UpdraftPlus in the second half of 2022, as a result of moving existing code around in order to prepare the way for future improvements in that code. This resulted in code that previously had not been reachable without the appropriate permissions check being accessible without it. All our code changes goes through multiple review before being launched, but in this case, there was a subtlety involved in moving around existing code that led us to overlook the implications of the move. We are reviewing how to not allow this to happen in future.
Is the problem being exploited in the wild?
No, not to our knowledge; we discovered the ultimate possibility internally based on a tip-off from a friendly security researcher. You should, of course, still update immediately.
Can you give me technical details of the exploit?
The exploit requires some work to work out and implement. At this stage it is best that we do not help any would-be attackers with that process.
I am using a paid version of UpdraftPlus, and my licence has expired, or I am vulnerable and do not want to update (any version) – what can I do?
Any one of these will protect you:
- Users of paid versions can renew their licence in our shop – you can use the coupon march2023nl until the end of March 2023 for a 50% discount. (You must login to an account that has expired licences on it and make a purchase to renew those licences – otherwise it will not be valid).
- Or, install and activate the “hotfix” plugin from this page.
- Or, delete any non-admin users whom you do not trust
- Or, remove their ability to visit the WordPress dashboard using a free plugin like https://wordpress.org/plugins/remove-dashboard-access-for-non-admins/
- Or, de-activate UpdraftPlus.
- Or, de-install your version of UpdraftPlus and install the free version instead.
How come my site was already automatically updated to this version?
WordPress and UpdraftPlus both show you a setting allowing you to opt-in to automatic updates when a new plugin version is released. If you turned this on, then this likely performed the update.
Web hosting companies also have the ability to automatically update any plugin on your website, so this is another possibility.
By default, the plugins team at wordpress.org has the ability to automatically push updates to all users of wordpress.org plugins (i.e. free plugins in their directory) if they deem it a good idea. They have done so with this update, and so many wordpress.org users will have received the update already via this mechanism. If you don’t want them to be able to do this, then they have documented how to disable that here.
Once more: we are sorry, and are committed to working hard to prevent this happening again. Thank you for being a user of UpdraftPlus.
David Anderson (founder, lead developer)
