UpdraftPlus WordPress Flaw Exposes 3 Million Sites to Takeover

Image credit: Search Engine Journal

A critical vulnerability in the UpdraftPlus WordPress plugin has exposed more than 3 million websites globally to unauthenticated remote code execution, cybersecurity firm Wordfence reported Tuesday.

The flaw, an authentication bypass, allows attackers to execute commands as an administrator without needing to log in or possess a WordPress account, potentially leading to full website compromise, Wordfence said.

Wordfence, a company specializing in WordPress security, stated that it blocked 8,172 attacks targeting this specific vulnerability within a single 24-hour period.

The vulnerability impacts WordPress sites utilizing the UpdraftPlus: WP Backup & Migration Plugin in versions up to and including 1.26.4, specifically those with an active Migrator key or UpdraftCentral key.

UpdraftPlus, a widely used plugin for backups and migrations, has released a patch to address the security flaw.

Users of the affected plugin versions are advised to update immediately to version 1.26.5 or newer to secure their websites against potential exploitation, according to security experts.

The authentication bypass nature of the vulnerability means that even sites with strong password policies could be at risk if they have not applied the necessary update, analysts said.

Cybersecurity analysts emphasized the urgency of patching, given the widespread use of the UpdraftPlus plugin across millions of WordPress installations.

The flaw highlights the ongoing challenges in maintaining web security, particularly with third-party plugins that extend the functionality of popular content management systems.

Source: Search Engine Journal