Security News > 2022 > February > WordPress force installs UpdraftPlus patch on 3 million sites
WordPress has taken the rare step of force-updating the UpdraftPlus plugin on all sites to fix a high-severity vulnerability allowing website subscribers to download the latest database backups, which often contain credentials and PII. Three million sites use the popular WordPress plugin, so the potential for exploitation was substantial, affecting a significant share of the internet, including large platforms.
The vulnerability affects UpdraftPlus versions 1.16.7 to 1.22.2, and the developers fixed it with the release of 1.22.3 or 2.22.3 for the Premium version.
UpdraftPlus helps simplify the process of backups and restoration with scheduled backup functions and an auto-download option to a trusted email address.
Of course, the attacker would need to know how to download database backups, and for now, Updraft reports that they have seen no such cases in the wild.
The response from the developers of the popular plugin was almost immediate, and on February 16, 2022, WordPress began force-upgrading installations to version 1.22.3.
According to the WordPress download stats for this plugin, 783,000 installs were upgraded on the 16th and an additional 1.7 million were updated on the 17th. Montpas told Bleeping Computer that this is one of those very rare and exceptionally severe cases where WordPress forces auto-updates on all sites regardless of their admins' settings.