A vulnerability in UpdraftPlus: WP Backup & Migration Plugin affects more than 3 million WordPress websites and allows unauthenticated attackers to execute commands as administrator. This flaw allows attackers to download and activate malicious plugins, which can ultimately lead to remote code execution.
UpdraftPlus Backup and Migration Plugin
The UpdraftPlus Backup & Migration plugin is one of the most used WordPress backup solutions. Website owners use it to create backups, restore websites after problems, and migrate WordPress sites between hosts, servers, and domains.
The plugin is actively installed on over 3 million websites and supports backup storage on a wide range of cloud and remote services.
Vulnerable to unauthenticated attackers
What makes this vulnerability particularly concerning is that it does not require an attacker to log in and no WordPress account is needed to exploit the flaw. However, not all sites with UpdraftPlus installed are necessarily usable in the same way. The plugin changelog describes the affected condition as sites with an active Migrator key or UpdraftCentral key.
According to the advisory, all versions up to and including version 1.26.4 are affected. The vulnerability exists in the UpdraftPlus_Remote_Communications_V2::wp_loaded function.
The problem is classified as a authentication bypass vulnerability. Authentication bypass is a security flaw that allows completely unauthenticated attackers to bypass the plugin’s identity and login credentials checks. This gives them the ability to perform administrator-level actions without ever needing to log in, provide a password, or provide valid website credentials.
Authentication checks are supposed to verify that commands received by the plugin are legitimate and come from an authorized source. In this case, weaknesses in the validation of remote communication messages make it possible to bypass these protections.
How the security breach works
The vulnerability arises from insufficient validation of the format of remote communication messages.
According to Word Closure:
“The UpdraftPlus: WP Backup & Migration Plugin for WordPress is vulnerable to authentication bypass in all versions up to and including 1.26.4 via the UpdraftPlus_Remote_Communications_V2::wp_loaded function.
This is due to insufficient validation of the remoting message format, in which signature verification can be bypassed and unchecked decryption return values collapse into a predictable entirely zero encryption key.
This allows unauthenticated attackers to forge arbitrary RPC commands and execute them as a logged in administrator, for example by downloading and activating a malicious plugin, which ultimately leads to remote code execution.
The plugin is supposed to verify that remote commands are genuine before executing them. The validation process can be bypassed, allowing attackers to create fake commands that the plugin treats as legitimate administrator instructions. Because these commands run with administrator-level privileges, attackers can perform actions that would normally require full administrative access.
Additionally, this part of the Wordfence description needs to be explained:
“This is due to insufficient validation of the format of remoting messages, where signature verification can be bypassed and unchecked decryption return values collapse into a predictable entirely zero encryption key.”
This means that the plugin has a critical coding flaw in which a failed encryption check defaults to an open door instead of locking the system.
Remote Code Execution
In this specific context, remote code execution means that an attacker can execute malicious code on the website hosting server via the Internet.
This vulnerability allows an unauthenticated attacker to bypass authentication and forge remote commands executed as a logged in administrator.
This means that an attacker can send a command to download and activate a malicious WordPress plugin, creating a backdoor to the site.
Once the malicious plugin is installed and activated, the server can execute the code contained in this plugin. This can allow actions such as stealing data, adding malware, modifying site files, or taking control of the WordPress installation.
RCE turns authentication bypass into a site takeover risk. Once an attacker can execute arbitrary code on the server, they can control the affected website. This can potentially lead to malware infections, website defacement, unauthorized administrator access, theft of sensitive information, or use of the compromised site for other attacks.
The advisory specifically states that attackers can download and activate malicious plugins, so this is a very real outcome.
Evidence of active attacks
Wordfence reported blocking 8,172 attacks targeting this vulnerability over a 24-hour period.
Although attack activity alone does not indicate how many sites were compromised, it does show that attackers are actively trying to exploit the vulnerability.
Fix available
UpdraftPlus has released a patch allowing users to update their installations and secure their websites.
The plugin changelog for version 1.26.5 describes the issue as follows:
“Previous versions contained a flaw that allowed sites with an active Migrator key (paid versions only) or UpdraftCentral key (free and paid versions) to perform unauthorized operations on them. All users should update immediately.”
Users of UpdraftPlus: WP Backup & Migration Plugin should update to version 1.26.5 or newer as soon as possible.
Featured image by Shutterstock/Toey Andante
