Site icon TechNewsBoy.com

Millions of WordPress sites receive forced patch for critical plugin flaw

Millions of WordPress sites have received a forced patch over the past few days, Ars Technica has reported. The reason is a vulnerability in UpdraftPlus, a popular plugin that allows users to create and restore website backups. UpdraftPlus developers requested the mandatory patch, as the vulnerability would allow anyone with an account to download a website’s entire database. 

The bug was discovered by Jetpack security researcher Marc Montpas during a security audit of the plugin. “This bug is pretty easy to exploit, with some very bad outcomes if it does get exploited,” he told Ars Technica. “It made it possible for low-privilege users to download a site’s backups, which include raw database backups.” 

He told UpdraftPlus developers about the bug on Tuesday last week, they fixed it a day later and started force-installing the patch shortly after that. 1.7 million sites had received it as of Thursday, out of 3 million-plus users.

The main flaw was that UpdraftPlus didn’t correctly implement WordPress’s “hearbeat’ function by properly checking to see if users had administrative privileges. Another issue was a variable used to validate admins that could be modified by untrusted users. Jetpack provided more details about how a hack could work in a blog post.

WordPress was previously breached earlier this year, but it was done indirectly via a GoDaddy hack that exposed 1.2 million accounts. If you’re running WordPress with the UpdraftPlus plugin, you should definitely confirm that the plugin updated automatically to 1.22.4 or later on the free version, or 2.22.4 and up on the premium app. 

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.

For all the latest Technology News Click Here 

 For the latest news and updates, follow us on Google News

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – abuse@technewsboy.com. The content will be deleted within 24 hours.
Exit mobile version