A vulnerability in the UpdraftPlus: WP Backup & Migration Plugin affects more than 3 million WordPress websites and enables unauthenticated attackers to execute commands as an administrator. The flaw makes it possible for attackers to upload and activate malicious plugins, which can ultimately lead to remote code execution.
UpdraftPlus Backup & Migration Plugin
The UpdraftPlus Backup & Migration Plugin is one of the most widely used WordPress backup solutions. Website owners use it to create backups, restore websites after problems, and migrate WordPress sites between hosts, servers, and domains.
The plugin is actively installed on more than 3 million websites and supports backup storage on a wide range of cloud and remote services.
Vulnerable To Unauthenticated Attackers
What makes this vulnerability especially concerning is that it does not require an attacker to log in and no WordPress account is needed to exploit the flaw. However, not every site with UpdraftPlus installed is necessarily exploitable in the same way. The plugin changelog describes the affected condition as sites with an active Migrator key or UpdraftCentral key.
According to the advisory, all versions up to and including version 1.26.4 are affected. The vulnerability exists in the UpdraftPlus_Remote_Communications_V2::wp_loaded function.
The issue is classified as an authentication bypass vulnerability. Authentication bypass is a security flaw that enables completely unauthenticated attackers to skip the plugin’s identity-verification and login credential checks. This gives them the ability to take administrator-level actions without ever needing to log in, provide a password, or provide valid website credentials.
Authentication controls are supposed to verify that commands received by the plugin are legitimate and come from an authorized source. In this case, weaknesses in the way remote communications messages are validated make it possible to bypass those protections.
How The Security Failure Works
The vulnerability stems from insufficient validation of the remote communications message format.
According to Wordfence:
“The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.26.4 via the UpdraftPlus_Remote_Communications_V2::wp_loaded function.
This is due to insufficient validation of the remote communications message format, where signature verification can be bypassed and unchecked decryption return values collapse to a predictable all-zero encryption key.
This makes it possible for unauthenticated attackers to forge arbitrary RPC commands and run them as the connected administrator, such as uploading and activating a malicious plugin, which ultimately leads to remote code execution.”
The plugin is supposed to verify that remote commands are authentic before executing them. The validation process can be bypassed, allowing attackers to create forged commands that the plugin treats as legitimate administrator instructions. Because those commands run with administrator-level privileges, attackers can perform actions that would normally require full administrative access.
Also, this part of Wordfence’s description needs explaining:
“This is due to insufficient validation of the remote communications message format, where signature verification can be bypassed and unchecked decryption return values collapse to a predictable all-zero encryption key.”
What it means is that the plugin has a critical coding flaw where a failed encryption check defaults to an open door instead of locking the system down.
Remote Code Execution
In this specific context, Remote Code Execution means an attacker can run malicious code on the website’s hosting server over the internet.
The vulnerability enables an unauthenticated attacker to bypass authentication and forge remote commands that run as the connected administrator.
That means an attacker can send a command to upload and activate a malicious WordPress plugin, essentially creating a backdoor into the site.
Once the malicious plugin is installed and activated, the server can execute the code inside that plugin. That can enable actions such as stealing data, adding malware, changing site files, or taking control of the WordPress installation.
RCE turns the authentication bypass into a site takeover risk. Once an attacker can execute arbitrary code on the server, they can control the affected website. This can potentially lead to malware infections, website defacement, unauthorized administrator access, theft of sensitive information, or the use of the compromised site for further attacks
The advisory specifically notes that attackers can upload and activate malicious plugins, so this is a very real outcome.
Evidence Of Active Attacks
Wordfence reported that it blocked 8,172 attacks targeting this vulnerability during a 24-hour period.
While attack activity alone does not indicate how many sites were successfully compromised, it shows that attackers are actively attempting to exploit the flaw.
Patch Available
UpdraftPlus has made a patch available for users to update their installations and secure their websites.
The plugin changelog for version 1.26.5 describes the issue as:
“Previous versions contained a defect allowing sites with an active Migrator key (paid versions only) or UpdraftCentral key (free and paid versions) to have unauthorised operations carried out on them. All users should update immediately.”
Users of the UpdraftPlus: WP Backup & Migration Plugin should update to version 1.26.5 or a newer version as soon as possible.
Featured Image by Shutterstock/Toey Andante