A critical vulnerability has been found in a WordPress plug-in. The vulnerability allows the website’s database to be easily downloaded. Millions of WordPress sites were only recently forced to be updated to fix the problem.
WordPress mandated an update for millions of websites created with the open source software. The update aims to fix a critical vulnerability in a plug-in called UpdraftPlus.
Data theft
Websites using the plug-in were not protected against data theft. In fact, anyone with an account on the vulnerable WordPress website could download the website’s private database. This database typically contains sensitive information about customers and website security.
The vulnerability was therefore so severe, according to UpdraftPlus developers, that it warranted a forced update. 2.96 million websites received the update in the past seven days, WordPress figures show.
Version 1.22.4 or later of the free version and version 2.22.4 or later of the premium version, are again safe.
Plug-in UpdraftPlus
The plug-in is popular among WordPress website owners. This is because UpdraftPlus ensures that data backups are synchronized on various cloud services, such as Dropbox, Google Drive and Amazon S3.
The vulnerability in the plug-in was discovered by Marc Montpas. Late last year, this security researcher at Automattic also discovered two flaws in a WordPress SEO plug-in. The update for these vulnerabilities was not forced, taking a long time to install the latest version on all vulnerable websites.