Millions of WordPress sites needed to be updated and the reason was a vulnerability in UpdraftPlus, a popular one additional which allows users to create and restore backups.
The developers of UpdraftPlus requested the mandatory information, as the vulnerability allowed anyone with an account to download the entire base data of a website.
The bug was discovered by Jetpack security researcher Marc Montpas during a control security of the plugin.
"This mistake is very easy to exploit, with very bad results. It enables low-end users to download backups of a site, which include raw backups of the database.
He told UpdraftPlus developers the bug on Tuesday last week, they corrected it a day later and immediately began the forced installation of the update.
1,7 million sites have been updated since Thursday, out of a total of 3 million users using the plugin.
The main drawback was that UpdraftPlus did not properly implement WordPress 'hearbeat' function and could not check if users had administrator privileges. Another issue was a variable used to validate administrators to distinguish them from untrusted users. For those who are interested, Jetpack published more details for the hack.
