UpdraftPlus Vulnerability for WordPress Puts 3 Million Sites at Risk

Vulnerability in UpdraftPlus: WP Backup & Migration Plugin affects over 3 million WordPress websites and allows unauthorized attackers to execute commands as an administrator. The flaw makes it possible for attackers to load and activate malicious plugins, which can eventually lead to remote code execution.

UpdraftPlus Backup & Migration Plugin

UpdraftPlus Backup & Migration Plugin is one of the most widely used WordPress backup solutions. Website owners use it to create backups, restore websites after problems, and migrate WordPress sites between hosts, servers, and domains.

The plugin is fully installed on more than 3 million websites and supports backup storage in a variety of cloud and remote services.

Vulnerable to Unauthorized Attackers

What makes this particularly vulnerable is that it does not require an attacker to log in and no WordPress account is required to exploit the bug. However, not all sites with UpdraftPlus installed can be used in the same way. The plugin changelog describes the affected status as sites with a valid Migrator key or UpdraftCentral key.

According to the advisory, all versions up to and including version 1.26.4 are affected. A vulnerability exists in the UpdraftPlus_Remote_Communications_V2::wp_loaded function.

The matter is classified as bypass authentication is compromised. To confirm the pass a security flaw that enables completely unauthorized attackers to bypass the plugin’s authentication and login authentication checks. This gives them the ability to take administrator-level actions without needing to log in, provide a password, or provide valid website credentials.

Validation controls must ensure that commands received by the plugin are legitimate and come from an authorized source. In this case, weaknesses in the way remote communication messages are authenticated make it possible to bypass those protections.

How Security Failures Work

The risk stems from insufficient validation of the long-distance communication message format.

According to Wordfence:

“UpdraftPlus: The WP Backup & Migration Plugin for WordPress is vulnerable to Authorization Bypass in all versions up to, and including, 1.26.4 with the UpdraftPlus_Remote_Communications_V2::wp_loaded program.

This is due to the insufficient authentication of the remote communication message format, where signature verification can be bypassed and untested decryption return values ​​are wrapped in an unsuspecting encryption key.

This enables unauthorized attackers to execute arbitrary RPC commands and use them as a connected administrator, such as loading and executing a malicious plugin, ultimately leading to remote code execution.”

The plugin must verify that remote commands are valid before executing them. The authentication process can be bypassed, allowing attackers to create fake commands that the plugin treats as legitimate admin commands. Because those commands work with administrator-level privileges, attackers can perform actions that would normally require full administrative access.

Also, this part of the Wordfence definition needs to be explained:

“This is due to the insufficient authentication of the long-distance communication message format, where signature verification can be bypassed and return values ​​from unchecked decryption wrap around a predictable encryption key of zero.”

What it means is that the plugin has a critical coding error where a failed encryption check automatically opens the door instead of locking the system down.

Remote Code Execution

In this context, Remote Code Execution means an attacker can run malicious code on a website’s host server over the Internet.

The vulnerability allows an unauthenticated attacker to bypass authentication and execute remote commands acting as a connected administrator.

That means an attacker can send a command to load and execute a malicious WordPress plugin, essentially creating a backdoor to the site.

Once a malicious plugin is installed and activated, the server can execute code within that plugin. That can enable actions like stealing data, adding malware, changing site files, or controlling WordPress installations.

RCE turns authentication bypass into a site takeover risk. Once an attacker is able to execute malicious code on the server, they can gain control of the affected website. This may result in malware infection, website defacement, unauthorized administrator access, theft of sensitive information, or the use of a compromised site for further attacks.

The advisory clearly notes that attackers can upload and use malicious plugins, so this is a very real consequence.

Proof of Active Attack

Wordfence reported blocking 8,172 attacks targeting this vulnerability in a 24-hour period.

While attack activity alone does not indicate how many sites have been successfully compromised, it does indicate that attackers are attempting to exploit the flaw.

Patch Available

UpdraftPlus has made a patch available to users to update their installs and secure their websites.

The plugin changelog for version 1.26.5 describes the problem as:

“Previous versions contained a bug that allowed sites with an active Migrator key (paid versions only) or UpdraftCentral key (free and paid versions) to perform unauthorized operations on them. All users should update immediately.”

UpdraftPlus users: WP Backup & Migration Plugin should upgrade to version 1.26.5 or a newer version as soon as possible.

Featured image by Shutterstock/Toey Andante