An issue in a WordPress plug-in exposes PII & authentication data to malicious insiders.
The WordPress plug-in “Updraft Plus” was patched to correct a vulnerability that left sensitive backups at risk, potentially exposing personal information & authentication data.
Updraft Plus is used for creating, restoring & migrating backups for WordPress files, databases, plug-ins & themes. States its website, Updraft Plus is used by more than 3m WordPress websites, including those from organisations such as Microsoft, Cisco & NASA.
Bug
On Mon., Marc-Alexandre Montpas – security engineer at Automattic Inc., WordPress’ parent company – submitted a ‘security defect report’ detailing a “severe vulnerability” that’s now been labelled CVE 2022-0633. The flaw’s severity rating is listed as High, at 8.5.
According to a security bulletin posted by Updraft Plus on Wed., the zero day allowed “any logged-in user on a WordPress installation with Updraft Plus active to exercise the privilege of downloading an existing backup, a privilege which should have been restricted to administrative users only.”
Backups are among the most sensitive assets in an IT environment, as they usually contain all kinds of user data, financial data, database configurations – really, anything & everything of value.
Advanced Attacks
Some of this data can later be used for even more advanced attacks.
“Access to the backups & database will likely 1st be used for credential theft,” John Bambenek, Principal Threat Hunter at Netenrich, explained, “but there are many possibilities for attackers to take advantage of the information.”
The major problem in this case was the mechanism by which Updraft Plus validated who was requesting backups. As outlined by WordPress security analysts at Wordfence, the attack starts with the WordPress heartbeat function.
Heartbeat Request
“The attacker needs to send a specially crafted heartbeat request containing a data updraft plus parameter,” they outlined in a writeup. “By supplying the appropriate sub-parameters, an attacker is able to obtain a backup log containing a backup nonce & timestamp which they can then use to download a backup.”
Critically, the attacker would need access to the target site in order to use the vulnerable heartbeat function. This reduces the risk to websites to only insider threats.
Powerful Combination
The popularity of Updraft Plus, combined with the simplicity of this attack, are a powerful combination.
As Bud Broomhead, CEO at Viakoo, remarked, “there is always a delay between finding a vulnerability & applying the security fix. This is a case for making all users, paid or not receive security patches for high-severity vulnerabilities such as this.”
Bigger Trend
CVE 2022-0633 is hardly unique. Security flaws in WordPress plug-ins have become the dernier cri in web security in recent months.
In Jan., a cross-site scripting bug in the WP HTML Mail plug-in exposed over 20,000 sites, & an authentication vulnerability similar to CVE 2022-0633 was discovered in 3 different plug-ins servicing a combined 84 thousand sites.
On Jan. 18 alone, 2 major security incidents broke: a 9.9 out of 10-rated vulnerability discovered in the AdSanity plug-in, & a coordinated supply chain compromise of 40 themes & 53 plug-ins belonging to Access Press Themes.
More Than Doubled
WordPress vulnerabilities are not new, but they more than doubled in 2021 & don’t seem to be slowing down.
As Broomhead noted, “exploits in widely used plugins or components (e.g. similar to Log4j, or recent open-source vulnerabilities) have a harsh reality; it’s up to each & every end user to take action to prevent the vulnerability from being exploited against them.”
Last Wed., Updraft Plus released its patched versions 1.22.3 (free) & 2.22.3 (paid). Administrators for vulnerable WordPress websites should update asap.