Table of Contents
  • Home
  • /
  • Blog
  • /
  • How To Fix CVE-2022-0633- An Authenticated Backup Download Vulnerability In UpdraftPlus WordPress Plugin
February 21, 2022
|
5m

How To Fix CVE-2022-0633- An Authenticated Backup Download Vulnerability In UpdraftPlus WordPress Plugin


How To Fix Cve 2022 0633 An Authenticated Backup Download Vulnerability In Updraftplus Wordpress Plugin

On Feb 14, 2022, A security researcher, Marc-Alexandre from Jetpack, discovered a high severity vulnerability in the UpdraftPlus WordPress plugin. The flaw tracked as CVE-2022-0633 with a base score of 8.5 lets the attacker download the WordPress site backup files with sensitive data. This could lead the attacker to take control of the website. WordPress site owners who use this plugin will need to pay attention to this post as we are going to explain how to fix CVE-2022-0633- An Authenticated Backup Download Vulnerability in UpdraftPlus WordPress Plugin.

About The UpdraftPlus Plugin:

UpdraftPlus plugin is the worlds highest-ranking and most popular backup service. The plugin offers full, manual, or scheduled backup of the whole WordPress site (files, databases, plugins, and themes ) to any location from local drive to remote cloud storage such as OneDrive, DropBox, GoogleDrive, Amazon S3 storage, and many more just with one click.

Summary Of CVE-2022-0633:

According to the security researcher Marc Montpas, The CVE-2022-0633 vulnerability allows any logged-in user, just with subscriber-level access, to download the backups created by the UpdraftPlus plugin.

Research says that the plugin uses the parameters nonce and timestamps to identify the created backups. These parameters are created to validate the admin users properly and provide access to the backup files. The actual vulnerability exists in the improper implementation of the validation process, which failed to identify the admin users. This hole created a way for attackers to craft a malicious request to get access to information about the sites latest backup to date and backups nonce.

Attackers will have access to WordPress configuration files, database files, media files, themes, and everything that backup file stores upon successful exploitation of this vulnerability. If an attacker manages to obtain credentials stored in the database, the attacker could take over the complete WordPress website.

This flaw puts more than 3 million websites at risk of stealing website backup files. You can imagine the potential of the flaw from its numbers. Please read the full details from here. 

Associated CVE IDCVE-2022-0633
DescriptionAn Authenticated Backup Download Vulnerability in UpdraftPlus WordPress Plugin
Associated ZDI ID
CVSS Score8.5 High
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Impact Score
Exploitability Score
Attack Vector (AV)Network
Attack Complexity (AC)Low
Privilege Required (PR)Low
User Interaction (UI)None
ScopeChanged
Confidentiality (C)High
Integrity (I)High
availability (a)High

UpdraftPlus Plugin Versions Affected By The CVE-2022-0633 Vulnerability:

All the versions of the UpdraftPlus plugins are from 1.16.7 to 1.22.2 are vulnerable to the flaw. It is good to take swift action to fix the CVE-2022-0633 Vulnerability.

How To Fix CVE-2022-0633- An Authenticated Backup Download Vulnerability In UpdraftPlus WordPress Plugin?

UpdraftPlus has released version 1.22.3 for patching the vulnerability. UpdraftPlus has pushed the forced auto-updates due to the severity of the issue. We urge you to verify the current version of the UpdraftPlus on your WordPress website and update the plugin to version 1.22.3 / 2.22.3 or later. You can find UpdraftPlus’s official advisory here.

How to upgrade the UpdraftPlus plugin in WordPress?


You dont have to manually upgrade the plugin if you have enabled the auto-upgrade option. Follow the simple procedure to upgrade the plugin manually.

Step 1. Log in to the WordPress Admin page

Step 2. Select ‘Plugin’ option from the left-hand site options

Step 3. Upgrade the Plugin

Select the Enable auto-updates option to receive automatic updates. Or Click on the Update Now option right below the plugin. However, the Update Now option will only be available when the Plugin Author rolls out an update.

For a WordPress website, it is mandatory to keep all the plugins up to date. But, updating plugins are not enough to protect your WordPress website. We highly recommend taking the subscription of security solutions such as Jetpack and WordFence. 

Both Jetpack and Wordfence will always work hard to protect your WordPress website from such threats and vulnerabilities. If you are using Jetpack on your website, we recommend subscribing to their Jetpack Security plan, covering malicious file scanning and backups. Suppose you have been using Wordfence Premium on your WordPress website. In that case, your website is protected from any exploits targeting this vulnerability as Wordfence already implemented the firewall rule on Feb 17, 2022, for Premium subscribers. Wordfence said that their free subscribers would receive this update after 30 days, on Mar 19, 2022. 

We hope this post would help you know How to Fix CVE-2022-0633- An Authenticated Backup Download Vulnerability in UpdraftPlus WordPress Plugin. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this. 

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Application Security

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.

Tools

Featured

View All

Learn Something New with Free Email subscription

Subscribe

Subscribe