Patches have been issued to include a “critical” security vulnerability in UpdateDraftPlus, a WordPress plugin with more than three million installs, that could be weaponized to download private site data using an account on vulnerable sites. Is.

“As of March 2019, all versions of UpdraftPlus contain a vulnerability due to a missing permission level check, allowing untrusted users to access the backups,” the plugin maintainers said in an advisory issued this week. ,

Automattic security researcher Marc-Alexander Montpas was credited with discovering and reporting the vulnerability on February 14, which was assigned the identifier CVE-2022-0633 (CVSS rating: 8.5). The issue affects UpdraftPlus versions from 1.16.7 to 1.22.2.

UpdraftPlus is a backup and restore solution capable of performing full, manual or scheduled backups of WordPress files, databases, plugins and themes, which can then be restored through the WordPress admin dashboard.

One consequence of this flaw is that it allows any logged in user with UpdatedPlus on a WordPress installation to exercise the privilege to download an existing backup – permissions that should be reserved only for administrative users.

Beyond leaking passwords and other confidential data, it can “in some cases take over the site if the attacker is able to obtain database credentials from a configuration file and successfully access the site’s database,” said WordPress security firm Wordfence. said. noted.

UpdraftPlus plugin users are recommended to update to version 1.22.3 (or 2.22.3 for the premium version) to mitigate any potential exploits. The latest version available as of February 17th is 1.22.4, which fixes a bug related to printing autosave options on PHP 8.