A vulnerability in the UpdraftPlus: WP Backup & Migration Plugin affects over 3 million WordPress websites, enabling unauthenticated attackers to execute commands as administrators. This flaw allows attackers to upload and activate malicious plugins, leading to potential remote code execution.
UpdraftPlus is one of the most widely used backup solutions for WordPress, helping users create backups, restore websites, and migrate between servers. The plugin supports backup storage on multiple cloud and remote services.
The vulnerability does not require an attacker to log in or possess a WordPress account to be exploited. Only sites with an active Migrator key or UpdraftCentral key are susceptible to this issue. Versions up to and including 1.26.4 contain the flaw, which stems from a failure in the UpdraftPlus_Remote_Communications_V2::wp_loaded function.
This security weakness is classified as an authentication bypass vulnerability, enabling attackers to bypass identity verification and credential checks, allowing them to perform administration-level actions without logging in. Attackers exploit this flaw due to insufficient validation of remote communication message formats.
Wordfence detailed that the vulnerability allows unauthenticated attackers to forge arbitrary RPC commands that the plugin executes as the connected administrator. This means they can upload and activate malicious plugins, which can lead to remote code execution on the affected websites.
The potential consequences of this vulnerability include extensive risks such as malware infection, website defacement, unauthorized access, and the theft of sensitive information. Evidence of active attempts to exploit the flaw has emerged, with Wordfence reporting 8,172 blocked attacks targeting this vulnerability within a 24-hour period.
UpdraftPlus has released a patch for the issue. Users are strongly advised to update their installations to version 1.26.5 or newer immediately to secure their websites against this vulnerability.
