UpdraftPlus, a WordPress plugin with over 3 million installations, has been patched following the discovery of a vulnerability by security researcher Marc Montpas.
The Wordfence Threat Intelligence team explained in a blog post that the vulnerability enables any logged in user, including subscriber-level users, to download backups made with the plugin. The WordPress security company explained that backups contain a great deal of sensitive information, often including configuration files which can be used to access the site database and the contents of the database itself.
Initially, Wordfence said the attacker would need to initiate their attack when a back up was in progress and guess the appropriate timestamp to download a backup.
This was later updated with the news that it is possible to obtain a full log containing a backup nonce and timestamp at any time, “making this vulnerability significantly more exploitable.”