Millions of WordPress sites receive forced auto-update to patch security flaw

Daniel Sims

Posts: 448   +18
Staff
What just happened? Last week the better part of two million WordPress sites got a forced security update because of a severe flaw in a plugin used for backing up data. The vulnerability could let unauthorized users download backups of WP sites.

Last Thursday, a security update for the UpdraftPlus plugin for WordPress sites went out to address a critical vulnerability. The developers thought the flaw was urgent enough to warrant a forced update.

UpdraftPlus is used to make downloading and restoring backups of WordPress sites simple. Developers at JetPack, during an internal audit of UpdraftPlus, found a vulnerability in a missing permissions check that could allow unauthorized users access to those backups. Usually, only administrators should have access to them. According to UpdraftPlus’s charts, around 1.7 million sites downloaded the update on Thursday.

Both JetPack and UpdraftPlus published warnings about the flaw. Sites that encrypt their backups are less at risk, and UpdraftPlus developers note that WordPress hashes its stored passwords, which should protect them from hackers who obtain unencrypted backups. JetPack says most Wordpress sites have been updated and urges those that haven't to install the latest UpdraftPlus patch.

WordPress plugin exploits are becoming an increasingly severe problem. A report from a security group last month said more vulnerabilities were reported in 2021 than in 2020 and that three-quarters of plugin flaws had known exploits.

Permalink to story.

 

bviktor

Posts: 842   +1,260
Very basic automated checks would greatly reduce the number of exploits in these plugins. QA is not optional, period.
 

someOtherGuy

Posts: 19   +9
Very basic automated checks would greatly reduce the number of exploits in these plugins. QA is not optional, period.
QA is us, that has been the way software had work for years now:
alpha code = beta product
beta code = product initial release
release candidate code = product version 4
stable code = product version 10+