UpdraftPlus, a widely used general purpose backup and restore plugin for WordPress, has made available a security release for both their free and paid versions, versions 1.22.4 and 2.22.4 respectively. It is strongly recommended to update your UpdraftPlus plugin to the most recent version immediately to close this security vulnerability. An update to the previously released versions 1.22.3 and 2.22.3 were made to resolve a conflict with another commonly used third party plugin.
This security release comes on the heels of a security researcher from Automattic, whom noted in their audit that the previous versions of UpdraftPlus allowed any logged in user on a WordPress installation to download an existing backup, even if the user did not have administrative privileges which this ability should be reserved for. This was possible to execute as there was a missing permissions check of the users privileges before being able to download the backup.
For any WordPress installation that allows untrusted users to have a login, that such users have the potential to download an existing backup.
More information on this security release can be found on UpdraftPlus’ site, as well as the CVE record created for this CVE-2022-23303.
