Connect with us

SEO

WordPress Backup Plugin Vulnerability Impacted 3+ Million Installations

Published

on

WordPress Backup Plugin Vulnerability Impacted 3+ Million Installations


Security researcher at Automattic discovered a vulnerability affecting popular WordPress backup plugin, UpdraftPlus. The vulnerability allowed hackers to download user names and hashed passwords. Automattic calls it a “severe vulnerability.”

UpdraftPlus WordPress Backup Plugin

UpdraftPlus is a popular WordPress backup plugin that’s actively installed in over 3 million websites.

The plugin allows WordPress administrators to backup their WordPress installations, including the entire database which contains user credentials,  passwords and other sensitive information.

Publishers rely on UpdraftPlus to adhere to the highest standards of security in their plugin because of how sensitive the data is that’s backed up with the plugin.

UpdraftPlus Vulnerability

The vulnerability was discovered by an audit conducted by a security researcher at Automattic’s Jetpack.

They discovered two previously unknown vulnerabilities.

The first was related to how UpdraftPlus security tokens called, nonces, could be leaked. This allowed an attacker to obtain the backup, including the nonce.

Advertisement

According to WordPress, nonces are not supposed to be the main line of defense against hackers. It explicitly states that functions should be protected by properly validating who has the proper credentials (by using the function called current_user_can()).

WordPress explains:

“Nonces should never be relied on for authentication, authorization, or access control. Protect your functions using current_user_can(), and always assume nonces can be compromised.”

The second vulnerability was tied to an improper validation of a registered users role, precisely what WordPress warns that developers should take steps to lock down plugins.

The improper user role validation allowed someone with the data from the previous vulnerability to download any of the backups, which of course contains sensitive information.

Jetpack describes it:

“Unfortunately, the UpdraftPlus_Admin::maybe_download_backup_from_email method, which is hooked to admin_init didn’t directly validate users’ roles either.

While it did apply some checks indirectly, such as checking the $pagenow global variable, past research has shown that this variable can contain arbitrary user input.

Bad actors could use this endpoint to download file & database backups based on the information they leaked from the aforementioned heartbeat bug.”

The United States Government National Vulnerability database warns that UpdraftPlus didn’t “…properly validate a user has the required privileges to access a backup’s nonce identifier, which may allow any users with an account on the site (such as subscriber) to download the most recent site & database backup.”

Advertisement

WordPress Forced Updates of UpdraftPlus

The vulnerability was so severe, WordPress took the extraordinary step of forcing automatic updates on all installations that hadn’t yet updated UpdraftPlus to the latest version.

But publishers are recommended to take it for granted that their installation was updated.

Affected Versions of UpdraftPlus

UpdraftPlus free versions before 1.22.3 and UpdraftPlus premium versions before 2.22.3 are vulnerable to the attack.

It’s recommended that publishers check to see that they are using the very latest version of UpdraftPlus.

Citations

Read the Jetpack Announcement

Severe Vulnerability Fixed In UpdraftPlus 1.22.3

Read the UpdraftPlus Announcement

UpdraftPlus security release – 1.22.3 / 2.22.3 – please upgrade

Read the U.S. Government Documentation on the Vulnerability

CVE-2022-0633 Detail

!function(f,b,e,v,n,t,s) {if(f.fbq)return;n=f.fbq=function(){n.callMethod? n.callMethod.apply(n,arguments):n.queue.push(arguments)}; if(!f._fbq)f._fbq=n;n.push=n;n.loaded=!0;n.version='2.0'; n.queue=[];t=b.createElement(e);t.async=!0; t.src=v;s=b.getElementsByTagName(e)[0]; s.parentNode.insertBefore(t,s)}(window,document,'script', 'https://connect.facebook.net/en_US/fbevents.js');

if( typeof sopp !== "undefined" && sopp === 'yes' ){ fbq('dataProcessingOptions', ['LDU'], 1, 1000); }else{ fbq('dataProcessingOptions', []); }

fbq('init', '1321385257908563');

fbq('track', 'PageView');

fbq('trackSingle', '1321385257908563', 'ViewContent', { content_name: 'updraftplus-wordpress-plugin-vulnerability', content_category: 'news wp ' });





Source link

See also  5 Big Ways Bing SEO Differs From Optimizing For Google

SEO

Search Engine Journal Promotes Miranda Miller To Senior Managing Editor

Published

on

Search Engine Journal Promotes Miranda Miller To Senior Managing Editor

It is with tremendous pride and excitement that I announce the promotion of Miranda Miller, an editorial and content strategy champion, to Senior Managing Editor.

While this promotion actually happened in January, having recently joined SEJ myself, I wanted to celebrate Miranda’s growth and leadership within the organization.

In this role, her areas of ownership will include core elements of SEJ’s editorial operations in this advanced role, including its rich educational and evergreen content.

“The word that comes to mind is blossom,” said Jenise Uehara, CEO of SEJ’s parent company Alpha Brand Media.

”Miranda dove into organizational management, cross-department collaboration, and business process design, while also tackling inefficiencies and challenges.”

An exceptional writer and editor, Miranda also brings considerable experience and expertise in content strategy.

Over the past several months, Miranda has truly shone as an organizational leader, working to grow SEJ’s editorial blueprint, talent, and operations exponentially.

Advertisement

“And all the while, Miranda somehow kept the publishing crank turning out exceptional content and breaking news,” Jenise added.

“I’ve been thrilled to watch Miranda so quickly engage and take on a meatier leadership role.”

Having followed her work since joining SEJ, I can personally speak to Miranda’s diversified wealth of knowledge to the editorial team – not to mention the publication at large.

“I joined SEJ early in 2021 to help lead the editorial team in a period of great growth and opportunity,” Miranda said.

“We’ve been able to increase expert and educational content production by over 60% even while introducing a data-driven approach to content strategy and optimization,” she added.

See also  WordPress 5.9 Rushed “In A Dangerous Way” Is Now Delayed

This year, we’ll publish 50% more ebooks than in 2021, and our contributing author program has grown to over 130 digital marketing and SEO experts with her guidance.

Prior to coming in-house, Miranda spent over 15 years leading her own marketing agency which served clients as wide-ranging as the world’s leading polar expeditions company, fintech and app startups, Fortune 100 companies, and several government agencies.

She’s been a prolific ghostwriter for brands and executives in SEO, tech, and finance, and has authored thousands of articles for clients that have appeared in the best-known B2B publications, technical journals, and mainstream media.

Advertisement

As Editor-in-Chief, I’m beyond excited to watch Miranda’s leadership undoubtedly contribute to SEJ’s ongoing substantial growth.

SEJ’s brand and content offerings continue to evolve, to serve an audience of marketers and business leaders – and there has never been a more inspiring or energizing time to cultivate, promote, and be part of this remarkably talented team.

“Content quality has always been my number one priority, and so it’s refreshing to see that this is a shared value across the SEJ team,” Miranda said.

“I love to see the new ebook formats and article types we’re creating now and am really looking forward to continuing to innovate and teach, to bring the most useful and helpful educational content possible to the SEJ audience.”

Miranda is a part-time digital nomad and runs a location-independent content studio for enterprise organizations.

Three to four months of the year, she works in coworking spaces and cafes around Europe, Latin America, and the Caribbean.

See also  WordPress 5.3 Moves Closer to Valid HTML

“But not at the beach,” Miranda adds. “That’s a myth. Ever had sand in your laptop? No bueno.”

At her home base on Georgian Bay in Canada, she’s the wife of a talented chef; mother bear to two teens, two Shepherds, and three budgies; and a patron of the local live music and literary scenes.

Advertisement

She’s also a huge fan of adrienne maree brown, Lizzo, Phoebe Waller-Bridge, Margaret Atwood, AOC – and hockey.


Featured Image: Miranda Miller

!function(f,b,e,v,n,t,s)
{if(f.fbq)return;n=f.fbq=function(){n.callMethod?
n.callMethod.apply(n,arguments):n.queue.push(arguments)};
if(!f._fbq)f._fbq=n;n.push=n;n.loaded=!0;n.version=’2.0′;
n.queue=[];t=b.createElement(e);t.async=!0;
t.src=v;s=b.getElementsByTagName(e)[0];
s.parentNode.insertBefore(t,s)}(window,document,’script’,
‘https://connect.facebook.net/en_US/fbevents.js’);

if( typeof sopp !== “undefined” && sopp === ‘yes’ ){
fbq(‘dataProcessingOptions’, [‘LDU’], 1, 1000);
}else{
fbq(‘dataProcessingOptions’, []);
}

fbq(‘init’, ‘1321385257908563’);

fbq(‘track’, ‘PageView’);

fbq(‘trackSingle’, ‘1321385257908563’, ‘ViewContent’, {
content_name: ‘sej-miranda-miller-sr-managing-editor’,
content_category: ‘careers-education news’
});

Source link

Advertisement
Continue Reading

DON'T MISS ANY IMPORTANT NEWS!
Subscribe To our Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

Trending