WordPress plugin UpdraftPlus had a serious vulnerability

UpdraftPlus, a WordPress plugin with over 3 million installations, had a serious vulnerability that may have allowed logged-in users, including subscriber-level users, to download backups made with the plugin.
WordPress businessUpdraftPlus was updated with a security fix on Thursday for a vulnerability discovered by security researcher Marc Montpas.

“UpdraftPlus is a popular back-up plugin for WordPress sites and as such it is expected that the plugin would allow you to download your backups,” said the Wordfence Threat Intelligence team.

One of the features that the plugin implemented was the ability to send back-up download links to an email of the site owner’s choice.

“This functionality was insecurely implemented making it possible for low-level authenticated users like subscribers to craft a valid link that would allow them to download backup files,” Wordfence explained in a blog post. “Exploiting this vulnerability would take an attacker with an active account on the target system.”

Wordfence urged all users running the UpdraftPlus plugin to update to the latest version of the plugin as soon as possible, if you have not already done so, since the consequences of a successful exploit would be severe.

This vulnerability was patched in version 1.22.3 of UpdraftPlus, and as such we strongly encourage you to verify that your site is running the most up to date version of the plugin and updating immediately if it is not.