Security News > 2022 > February > WordPress backup plugin maker Updraft says “You should update”…
WordPress plugins need to be kept up-to-date just as keenly as WordPress itself.
That's why we thought we'd write about a recent warning from the creators of Updraft and Updraft Plus, which are free and premium plugins respectively that are dedicated to backing up, restoring and cloning WordPress sites.
As you can imagine, a security bug in a backup plugin that could allow an attacker to download a site backup without authorisation means, in theory, that your entire site, and all its accompanying data, could end up getting stolen in one go.
That, apparently, is the nature of CVE-2022-23303, a bug found and reported in the Updraft plugin by a security researcher at Automattic, the company behind the WordPress brand.
What to do? If you're an Updraft or Updraft Premium user, make sure you have at least version 1.22.4 or 2.22.4 respectively.
As Updraft correctly points out, although an active attack would depend on "a hacker reverse-engineering the changes in the latest [.] release to work it out, [] you should certainly not rely upon this taking long, but should update immediately." If you run a website of your own, whether it's based on WordPress or not, practise how you would respond if you came across a data-threatening bug like this one.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-01-17 | CVE-2022-23303 | Information Exposure Through Discrepancy vulnerability in multiple products The implementations of SAE in hostapd before 2.10 and wpa_supplicant before 2.10 are vulnerable to side channel attacks as a result of cache access patterns. | 9.8 |