Connect with us

SEO

WordPress Backup Plugin Vulnerability Impacted 3+ Million Installations

Published

on

WordPress Backup Plugin Vulnerability Impacted 3+ Million Installations


Security researcher at Automattic discovered a vulnerability affecting popular WordPress backup plugin, UpdraftPlus. The vulnerability allowed hackers to download user names and hashed passwords. Automattic calls it a “severe vulnerability.”

UpdraftPlus WordPress Backup Plugin

UpdraftPlus is a popular WordPress backup plugin that’s actively installed in over 3 million websites.

The plugin allows WordPress administrators to backup their WordPress installations, including the entire database which contains user credentials,  passwords and other sensitive information.

Publishers rely on UpdraftPlus to adhere to the highest standards of security in their plugin because of how sensitive the data is that’s backed up with the plugin.

UpdraftPlus Vulnerability

The vulnerability was discovered by an audit conducted by a security researcher at Automattic’s Jetpack.

They discovered two previously unknown vulnerabilities.

The first was related to how UpdraftPlus security tokens called, nonces, could be leaked. This allowed an attacker to obtain the backup, including the nonce.

Advertisement

According to WordPress, nonces are not supposed to be the main line of defense against hackers. It explicitly states that functions should be protected by properly validating who has the proper credentials (by using the function called current_user_can()).

WordPress explains:

“Nonces should never be relied on for authentication, authorization, or access control. Protect your functions using current_user_can(), and always assume nonces can be compromised.”

The second vulnerability was tied to an improper validation of a registered users role, precisely what WordPress warns that developers should take steps to lock down plugins.

The improper user role validation allowed someone with the data from the previous vulnerability to download any of the backups, which of course contains sensitive information.

Jetpack describes it:

“Unfortunately, the UpdraftPlus_Admin::maybe_download_backup_from_email method, which is hooked to admin_init didn’t directly validate users’ roles either.

While it did apply some checks indirectly, such as checking the $pagenow global variable, past research has shown that this variable can contain arbitrary user input.

Bad actors could use this endpoint to download file & database backups based on the information they leaked from the aforementioned heartbeat bug.”

The United States Government National Vulnerability database warns that UpdraftPlus didn’t “…properly validate a user has the required privileges to access a backup’s nonce identifier, which may allow any users with an account on the site (such as subscriber) to download the most recent site & database backup.”

Advertisement

WordPress Forced Updates of UpdraftPlus

The vulnerability was so severe, WordPress took the extraordinary step of forcing automatic updates on all installations that hadn’t yet updated UpdraftPlus to the latest version.

But publishers are recommended to take it for granted that their installation was updated.

Affected Versions of UpdraftPlus

UpdraftPlus free versions before 1.22.3 and UpdraftPlus premium versions before 2.22.3 are vulnerable to the attack.

It’s recommended that publishers check to see that they are using the very latest version of UpdraftPlus.

Citations

Read the Jetpack Announcement

Severe Vulnerability Fixed In UpdraftPlus 1.22.3

Read the UpdraftPlus Announcement

UpdraftPlus security release – 1.22.3 / 2.22.3 – please upgrade

Read the U.S. Government Documentation on the Vulnerability

CVE-2022-0633 Detail

!function(f,b,e,v,n,t,s) {if(f.fbq)return;n=f.fbq=function(){n.callMethod? n.callMethod.apply(n,arguments):n.queue.push(arguments)}; if(!f._fbq)f._fbq=n;n.push=n;n.loaded=!0;n.version='2.0'; n.queue=[];t=b.createElement(e);t.async=!0; t.src=v;s=b.getElementsByTagName(e)[0]; s.parentNode.insertBefore(t,s)}(window,document,'script', 'https://connect.facebook.net/en_US/fbevents.js');

if( typeof sopp !== "undefined" && sopp === 'yes' ){ fbq('dataProcessingOptions', ['LDU'], 1, 1000); }else{ fbq('dataProcessingOptions', []); }

fbq('init', '1321385257908563');

fbq('track', 'PageView');

fbq('trackSingle', '1321385257908563', 'ViewContent', { content_name: 'updraftplus-wordpress-plugin-vulnerability', content_category: 'news wp ' });





Source link

SEO

Google Debuts 9 New Shopping Features

Published

on

Google Debuts 9 New Shopping Features

Google shopping experience for users is getting an upgrade. In today’s Search On event, Google announced nine new features and tools geared to help improve the user experience.

The overarching theme of the updates is visualization and personalization.

Visualization Shopping Features

Google emphasized that users spend a lot of time researching, exploring, and discovering their options before purchasing. Four visual features for users Google announced:

  • Search with the word “shop”. By starting your search with “shop” followed by what you’re searching for, you’ll now see a visual feed that includes products, research tools, and nearby inventory. This update also expands the shopping experience beyond apparel. It’s now available in all categories on mobile.
  • Shop the look. For the apparel category, users will now be able to “shop the look” which showcases individual products to help create an entire outfit. Google’s tool will show complimentary products to the main product a user is searching for, such as handbags or shoes to go along with a top or jacket.
  • Trending products feature. This is a new feature in Search which will show popular products in the category users are searching for. Google confirmed this will be available later this Fall.
  • 3D shopping. Expanding on the earlier launch of 3D shopping for home goods, 3D visuals of sneakers are coming in the following months.

Further, Google announced a way to build and create 3D visuals because they understand creating this type of asset takes a lot of time and resources. Their tool will use machine learning to automate 360-degree spins using a few still images.

Encouraging Confident Purchasing

The next set of tools announced from Google are geared to help users make more informed decisions when purchasing.

  • Guides for complex purchases. Google announced a buying guide for complex purchase decisions. The buying guide will consist of insights about that category from a range of trusted sources.
  • See what others are saying. Specifically, in the Google app, Page Insights will be available. This feature bridges content on a website users are on or a product being researched, along with ratings, pros and cons, in one single view.

A More Personalized Shopping Experience

The last set of updates focuses on the individual shopping experience, including privacy preference enhancements.

Advertisement
  • More personalized results. Users will start getting personalized shopping results based on their previous shopping habits. To protect user privacy with this enhancement, users will have the ability to tell Google their preferences directly, as well as easy-to-use controls to toggle the feature on or off.
  • Shop with dynamic filters. Search filters will now adapt to real-time Search trends, meaning the filters are not static.
  • Using Discover app for more inspiration. Users who have the Google app will start seeing style suggestions in the Discover tab based on their shopping behavior.If a user sees something they like, they can click on the product and Lens will open up to provide available options on where to buy.

Next Steps For Advertisers

While the Search On event focused on the user experience, many advertisers are wondering how they should prepare for these updates.

For advertisers in the E-Commerce space, make sure your Merchant Center for Shopping Ads is in tip-top shape. This can include optimizing images, descriptions, titles, and including as many specifications as possible so users can better find your products.

More information is coming for marketers to help understand how these user experience updates will affect advertisers. We’ll continue to report on follow-ups from Google as they are announced.


Featured image: Vladimka production/Shutterstock

 

if( sopp != 'yes' && addtl_consent != '1~' && !ss_u ){

!function(f,b,e,v,n,t,s) {if(f.fbq)return;n=f.fbq=function(){n.callMethod? n.callMethod.apply(n,arguments):n.queue.push(arguments)}; if(!f._fbq)f._fbq=n;n.push=n;n.loaded=!0;n.version='2.0'; n.queue=[];t=b.createElement(e);t.async=!0; t.src=v;s=b.getElementsByTagName(e)[0]; s.parentNode.insertBefore(t,s)}(window,document,'script', 'https://connect.facebook.net/en_US/fbevents.js');

if( typeof sopp !== "undefined" && sopp === 'yes' ){ fbq('dataProcessingOptions', ['LDU'], 1, 1000); }else{ fbq('dataProcessingOptions', []); }

fbq('init', '1321385257908563');

fbq('track', 'PageView');

fbq('trackSingle', '1321385257908563', 'ViewContent', { content_name: 'search-on-22-google-debuts-9-new-shopping-features', content_category: 'news pay-per-click' }); } });



Source link

Advertisement
Continue Reading

DON'T MISS ANY IMPORTANT NEWS!
Subscribe To our Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

Trending

en_USEnglish