Over 3 million Installations were impacted by WordPress Backup Plugin Vulnerability
By MYBRANDBOOK
A vulnerability was discovered for UpdraftPlus, a WordPress plugin with over 3 million installations. If exploited, the vulnerability could grant attackers access to privileged information from the affected site's database like usernames and hashed passwords.
The issue was discovered during an internal audit of the UpdraftPlus plugin. A team of researchers uncovered an arbitrary backup download vulnerability that could allow low-privileged users like subscribers to download a site's latest backups.
Two previously unknown vulnerabilities were discovered. The first was related to how UpdraftPlus security tokens called, nonces, could be leaked. This allowed an attacker to obtain the backup, including the nonce.
The second vulnerability was tied to an improper validation of a registered user’s role, precisely what WordPress warns that developers should take steps to lock down plugins. The improper user role validation allowed someone with the data from the previous vulnerability to download any of the backups, which of course contains sensitive information.
Updraftplus allows WordPress administrators to back up their WordPress installations, including the entire database which contains user credentials, passwords and other sensitive information. Publishers rely on UpdraftPlus to adhere to the highest standards of security in their plugin because of how sensitive the data is that’s backed up with the plugin.
The Wordfence Threat Intelligence team said, “The attack starts with the WordPress heartbeat function. The attacker needs to send a specially crafted heartbeat request containing a data[updraftplus] parameter. By supplying the appropriate sub parameters, an attacker is able to obtain a backup log containing a backup nonce and timestamp which they can then use to download a backup.”
It further urged all users running the UpdraftPlus plugin to update to the latest version of the plugin, which is version 1.22.3 as of this writing, as soon as possible, since the consequences of a successful exploit would be severe.
The government of India intends to construct a single portal f
A single portal will be launched by the Indian government to list all of it...
OpenAI offers GPT-4o, a faster model available to all users at
GPT-4o, a faster and more sophisticated AI model, is made available to all...
Paytm brings UPI Lite Wallet for low-value transactions
Paytm’s parent company One97 Communications (OCL) is emphasizing upon UP...
BHIM to join e-commerce, competing with PhonePe and Google Pay
The government-supported payment software BHIM is getting ready to join t...
RAMCO SYSTEMS Ltd.
BEETEL TELETECH LTD.
INFOSYS TECHNOLOGIES PVT. LTD.
POLYCAB INDIA PVT. LTD.
Technology Icons Of India 2023: Amit Chadha
. An influential leader in the engineering services industry for over ...
Technology Icons Of India 2023: Rajiv Srivastava
Rajiv Srivastava is the Managing Director of Redington Group. With 35 ...
Technology Icons Of India 2023: Vijay Shekhar Sharma
Vijay Shekhar Sharma is an Indian technology entrepreneur and billiona...
STPI encouraging software exports from India
Software Technology Parks of India (STPI) is an S&T organization under...
CERT-IN protecting the cyber security space of India
CERT-In serves in the area of cyber security threats like hacking and ...
BEL leveraging next generation technologies to keep the country ahead in Defence space
Bharat Electronics Limited (BEL) is a Navratna PSU under the Ministry ...
SATCOM INFOTECH PVT. LTD.
Satcom Infotech Pvt. Ltd is a distribution houses in security in India...
Crayon Software Experts India Pvt Ltd
Crayon helps its customers build the commercial and technical foundati...
TECH DATA, A TD SYNNEX COMPANY
Tech Data Corporation was an American multinational distribution compa...