Millions of WordPress sites needed to be updated and the reason was a vulnerability in UpdraftPlus, a popular plugin that allows users to create and restore backups.
The developers of UpdraftPlus requested the mandatory update, as the vulnerability allowed anyone with account to download a website's entire database.
The bug was discovered by Jetpack security researcher Marc Montpas during a control security of the plugin.
"Αυτό το σφάλμα είναι πολύ εύκολο να το εκμεταλλευτεί κανείς, με πολύ άσχημα αποτελέσματα. Δίνει τη δυνατότητα σε χρήστες χαμηλών προνομίων να κατεβάσουν copies ασφαλείας ενός ιστότοπου, τα οποία περιλαμβάνουν ακατέργαστα αντίγραφα ασφαλείας της βάσης δεδομένων".
He reported the bug to the UpdraftPlus developers on Tuesday last weekteam, they fixed it a day later and immediately started the forced installation of the update.
1,7 million sites have been updated since Thursday, out of a total of 3 million users using the plugin.
The main flaw was that UpdraftPlus didn't properly implement WordPress' "hearbeat" feature and couldn't check if users had admin rights. Another issue was a variable used to authenticate administrators to distinguish them from untrusted users. For those interested Jetpack posted more details for the hack.
