Main menu

Pages

WordPress 2022 update (security update)

1.7 million WordPress sites required a security update due to a serious WordPress vulnerability

WordPress has been affected by identified vulnerabilities in some of its plugins, which can compromise the security of websites created by the platform. In January, a vulnerability was identified in the Essential Addons for Elementor plug-in, a feature used by more than a million websites. The problem was discovered by a PatchStack investigator , but it has since been fixed.

wordpress login wordpress download wordpress themes create wordpress website wordpress plugins wordpress hosting wordpress costs wordpress templates wordpress admin login wordpress alternative wordpress instructions wordpress admin wordpress login wordpress current version wordpress api wordpress app a wordpress site a wordpress tool that allows the users to manage the website data a wordpress website a wordpress commenter a wordpress blog a wordpress commenter exploit a wordpress web hosting wordpress a/b testing undo wordpress changes wordpress changes are not applied wordpress change history wordpress save changes wordpress similar posts wordpress change history wordpress publish changes wordpress changes are not displayed wordpress ä ü ö are not displayed correctly wordpressblog wordpress backup wordpress blog erstellen wordpress bielefeld wordpress backend wordpress backup plugin wordpress benutzerrollen wordpress beispiele wordpress b theme $p$b wordpress wordpress b&b booking plugin test a/b wordpress wordpress b-quote $p$b wordpress password decrypt wordpress cookie plugin wordpress cache leeren wordpress cms wordpress cookie plugin kostenlos wordpress cookie hinweis wordpress contact form c wordpress urls fox-c wordpress wordpress c'est quoi wordpress cpanel wordpress c quoi wordpress cpanel login widget wordpress c'est quoi wordpress c'est gratuit wordpress docker wordpress divi wordpress domain ändern wordpress datenbank wordpress duplicator wordpress dashboard wordpress domain wordpress de wordpress d jl kiran d wordpress d-board wordpress fob&d wordpress d function wordpress déplacer wordpress d'un dossier à la racine ( p id d+) wordpress wordpress elementor wordpress editor wordpress email wordpress es gab einen kritischen fehler auf deiner website wordpress error establishing a database connection wordpress email settings wordpress einführung wordpress entwickler _e wordpress _e wordpress function _e wordpress php wordpress e commerce wordpress e-learning wordpress e-mail wordpress e portfolio wordpress e-learning theme wordpress footer wordpress favicon wordpress forum wordpress formular wordpress favicon ändern wordpress free wordpress free themes wordpress forum plugin wordpress f silke f wordpress sprint_f wordpress f&o wordpress theme mrs f wordpress letra f wordpress wordpress gutenberg wordpress google analytics wordpress gallery wordpress gutenberg editor wordpress github wordpress google maps wordpress galerie wordpress google fonts wordpress g suite wordpress g suite login wordpress g translate wordpress g suite email wordpress g suite integration wordpress g suite smtp wordpress g suite coupon code g suite wordpress plugin wordpress header bearbeiten wordpress hosting vergleich wordpress homepage erstellen wordpress https wordpress htaccess wordpress hoster wordpress hosting deutschland wordpress h.265 h-code wordpress theme h captcha wordpress wordpress h văn kookv h wordpress meanie h wordpress kookmin h wordpress markhyuck h wordpress wordpress installieren wordpress impressum wordpress installation wordpress icon wordpress ionos wordpress impressum erstellen wordpress installieren anleitung wordpress iframe wordpress i am not a robot plugin iframe wordpress wordpress i woocommerce wordpress i class icon wordpress i=1 wordpress i react wordpress i-excel wordpress i hosting wordpress javascript wordpress jetpack wordpress javascript einbinden wordpress jobs wordpress jquery wordpress java wordpress json wordpress job plugin j drama wordpress jquery wordpress j f y wordpress wordpress j extybt wordpress j j&t wordpress j yjdktybt wordpress plugin wordpress j'aime wordpress free wordpress disable comments wordpress contact form wordpress calendar wordpress course create wordpress contact form use wordpress for free k elements wordpress plugin k gogos wordpress k-pop wordpress k significa wordpress wordpress login admin wordpress logo learn wordpress wordpress log4j install wordpress locally wordpress login url change wordpress logo wordpress l sep l sep character wordpress wordpress l ogin wordpress l'éditeur a rencontré une erreur inattendue wordpress l'api rest a rencontré une erreur wordpress l'editor ha riscontrato un errore inaspettato l'america espanyola.wordpress l'importance de wordpress wordpress multisite wordpress maintenance mode edit wordpress menu wordpress multi language create wordpress menu wordpress member area wordpress multilingual wordpress library folder m.wordpress.www m.wordpress.com login me calendar wordpress language m pesa wordpress plugin wordpress newsletter wordpress nginx wordpress new page create wordpress navigation edit wordpress navigation wordpress news wordpress noindex wordpress reinstall in wordpress _n wordpress wordpress n.headers is undefined wordpress _n_noop wordpress no-media n.katic wordpress wordpress n'est plus gratuit wordpress __ function wordpress online shop wordpress offline create wordpress offline wordpress onepager wordpress open source wordpress online shop create o wordpress é gratuito o wordpress é um instrumento wordpress o'reilly wordpress o que é blogger to wordpress joomla to wordpress wordpress opening hours wordpress open wordpress change public name wordpress wordpress austria wordpress public preview for posts wordpress edema alma wordpress önbellek temizleme wordpress php wordpress php 8 wordpress php version wordpress popup wordpress prices wordpress pdf embed wordpress plugin create wordpress p tags disappear wordpress $p$b wordpress p class wordpress p tag wordpress $p$ hash wordpress $p$ password webp wordpress wordpress quiz plugin wordpress query wordpress qr code edit wordpress source code wordpress quiz view wordpress source code wordpress qr code plugin wordpress qnap wordpress q&a plugin free wordpress qtranslate wordpress qtranslate plugin q form wordpress wordpress q&a theme best wordpress q&a plugin wordpress q es q&a wordpress template wordpress rollen wordpress rest api wordpress redirect wordpress robots.txt wordpress rss feed wordpress raspberry pi wordpress requirements wordpress releases r/wordpress wordpress r shiny wordpress r plugin wordpress r integration print_r wordpress r markdown wordpress r debug wordpress r stats wordpress wordpress slider set wordpress homepage wordpress shop duplicate wordpress page create wordpress page wordpress page offline make wordpress seo change wordpress font _s wordpress github is wordpress free wordpress is search wordpress s folder wordpress s/mime wordpress s wordpress application passwords wordpress tutorial wordpress themes free wordpress themes free wordpress theme create wordpress appointment booking wordpress templates free wordpress t shirt designer plugin wordpress t shirt designer wordpress t.onchange section expanded is not a function wordpress t shirt shop wordpress t shirt plugin wordpress t-online homepage starter wordpress move wordpress upload limit increase wordpress update wordpress url change wordpress create subpage wordpress poll plugin wordpress user roles create wordpress submenu u-design wordpress theme documentation cena sajta u wordpress u wordpress u commerce rad u wordpress u kako raditi u wordpress u wordpress u payu wordpress sajt u wordpressu wordpress translation plugin wordpress translate wordpress parent page wordpress transfer wordpress format headers wordpress exceeds upload limit for this site install wordpress via ftp hide wordpress header wordpress version wordpress templates embed wordpress video find out wordpress versionwordpress video wordpress vs typo3 wordpress vs wix wordpress vs joomla v = wordpress wordpress v parameter wordpress vcard wordpress v 5.5.1 hyper-v wordpress hyper-v wordpress appliance v press wordpress theme wordpress website wordpress wartungsmodus wordpress wiki wordpress woocommerce wordpress was ist das wordpress widgets wordpress website bearbeiten in wordpress code wordpress in two languages ​​categories in wordpress anchor in wordpress help in wordpress wordpress the site has encountered a fatal wordpress error in the name.pl wordpress w podkatalogu wordpress xampp wordpress xmlrpc wordpress xampp installieren wordpress xml-rpc validation service wordpress xml sitemap wordpress xml import wordpress xmlrpc exploit wordpress xmlrpc deaktivieren x wordpress theme _x wordpress x wordpress theme review x wordpress theme transparent header wordpress x-frame-options wordpress x-forwarded-proto wordpress x-forwarded-for wordpress x-frame-options allow-from wordpress youtube wordpress youtube video einbinden wordpress you don't have permission to access this resource wordpress yoast wordpress youtube plugin wordpress yootheme wordpress youtube video embed dsgvo wordpress yubikey wordpress y google analytics wordpress y otros wordpress y woocommerce wordpress y elementor wordpress y php wordpress y moodle wordpress reset wordpress whenever wordpress wordpress line spacing wordpress bilingual wordpress access wordpress certificate forgot wordpress access data wordpress access numbers z wordpress com wordpress z index wordpress z-index not working wordpress z-index menu ctrl z wordpress az wordpress plugin z-index header wordpress strony z wordpress wordpress 000webhost wordpress 0day wordpress 0.7 wordpress auth0 wordpress 0day exploit wordpress 000webhost login wordpress 0 day level_0 wordpress javascript void 0 wordpress user status 0 wordpress ajax returns 0 wordpress mostly five-0 wordpress undefined offset 0 wordpress error error (0) wordpress wordpress 1und1 wordpress 1blu installieren wordpress 101 wordpress 1 page theme wordpress 1 click install wordpress 1.0 wordpress 1$s wordpress 1536x1536 1 wordpress 2 domains 1.wordpress $1 wordpress themes 1 wordpress website wordpress 1 click installation wordpress 2022 wordpress 2fa wordpress 2 factor authentication wordpress 2021 wordpress 2022 theme wordpress 2021 theme wordpress 2fa activate wordpress 2 language 2 wordpress installations on one server 2 wordpress installations on one domain 2 wordpress sites on one database 2 wordpress themes one site 2 wordpress sites 1 user database 2. wordpress 2 wordpress sites on one server 2 wordpress plugins wordpress 3d viewer wordpress 301 wordpress 301 forwarding wordpress 3d wordpress 360 product viewer wordpress 3d plugin wordpress 3d print wordpress 3.5.1 exploit wordpress 3 wordpress 3$s wordpress 3 images in a row wordpress 3 level menu wordpress 3 spalten layout wordpress 3 bilder nebeneinander wordpress 3 download wordpress 3 column layout wordpress 404 wordpress 403 wordpress 4.9.18 wordpress 404 not found wordpress 404 redirect wordpress 404 seite umleiten wordpress 4.9.19 wordpress 404 seite bearbeiten wordpress 4 wordpress 4 download wordpress 4 vs 5 wordpress 4 php version wordpress 4 to 5 upgrade wordpress 4 end of life wordpress 4 spalten wordpress 4 php 7 wordpress 5.9 wordpress 5.8.2 wordpress 5.8.3 wordpress 5.9 release wordpress 5.8.1 wordpress 5.9 release date wordpress 5.8.1 exploit wordpress 5.8.2 php version $5 wordpress themes wordpress 5 wordpress 5 download wordpress 5 das umfassende handbuch pdf wordpress 5 minuten installation wordpress 5 handbuch pdf wordpress 5 php version wordpress 5 tutorial wordpress 6.0 features wordpress 64 bit wordpress 64 mb upload limit wordpress 6.5 wordpress 644 755 wordpress 6g firewall wordpress 64 bit download wordpress 644 wordpress 6 shopware 6 wordpress jupiter 6 wordpress theme foundation 6 wordpress jupiter 6 wordpress varnish 6 wordpress configuration varnish 6 wordpress slider revolution 6 wordpress wordpress 7.4 wordpress 78 wordpress 7.2 wordpress 755 wordpress 7 theme wordpress 7.4 download wordpress 7.3 download wordpress 7.3 7 wordpress theme wordpress 7 download wordpress 7 form wordpress 7 columns wordpress 7 template centos 7 wordpress the 7 wordpress theme documentation dsm 7 wordpress wordpress 8.1 wordpress 800 number wordpress 8.5.2 wordpress 8.2 wordpress 8.5.1 wordpress 8.3 wordpress 8mb upload limit wordpress theme wordpress 8 php 8 wordpress centos 8 wordpress mysql 8 wordpress centos 8 wordpress nginx utf-8 wordpress centos 8 wordpress apache 8 bit wordpress theme wordpress 90s theme wordpress 907 theme 99designs wordpress wordpress 9 letras wordpress 9gag theme wordpress 9gag wordpress 9 debian 9 wordpress install angular 9 wordpress sage 9 wordpress debian 9 wordpress drkokogyi 9 wordpress yourbluemoon 9.wordpress.com3 wordpress 8mb upload limit wordpress theme wordpress 8 php 8 wordpress centos 8 wordpress mysql 8 wordpress centos 8 wordpress nginx utf-8 wordpress centos 8 wordpress apache 8 bit wordpress theme wordpress 90s theme wordpress 907 theme 99designs wordpress wordpress 9 letras wordpress 9gag theme wordpress 9gag wordpress 9 debian 9 wordpress install angular 9 wordpress sage 9 wordpress debian 9 wordpress drkokogyi 9 wordpress yourbluemoon 9.wordpress.com3 wordpress 8mb upload limit wordpress theme wordpress 8 php 8 wordpress centos 8 wordpress mysql 8 wordpress centos 8 wordpress nginx utf-8 wordpress centos 8 wordpress apache 8 bit wordpress theme wordpress 90s theme wordpress 907 theme 99designs wordpress wordpress 9 letras wordpress 9gag theme wordpress 9gag wordpress 9 debian 9 wordpress install angular 9 wordpress sage 9 wordpress debian 9 wordpress drkokogyi 9 wordpress yourbluemoon 9.wordpress.comwordpress.comwordpress.com

Now it was the UpdraftPlus plugin , used to create and restore website backups. The problem that was found, which was already fixed by an emergency security update, allowed all users with an account on a website to download the entire database.

The bug was discovered by Jetpack 's security researcher Marc Montpas while reviewing the plugin. Speaking to Ars Technica , the investigator stated that the bug was very easy to exploit, with disastrous results if used. This allowed users with basic privileges to download backups from a website, including raw databases.

UpdraftPlus developers were alerted to the bug, and it was fixed the next day, forcing all websites using this plug-in to perform an emergency update. In all, 1.7 million sites have been updated, from about 3 million users.

In the Jetpack blog, it was explained that the vulnerability was due to incorrect implementation of the WordPress “ hearbeat ” feature , which ensures user privileges are checked. In this case, you did not check whether the access was made by the site administrators. A hacker can easily access information from website backups through the vulnerability.

To confirm that you have the secure version of the UpdraftPlus plugin , WordPress -based website administrators must verify that it is updated to version 1.22.

Forced UpdraftPlus WordPress Plugin Update on Millions of Websites

In an unprecedented and dangerous move, WordPress forced an update of the UpdraftPlus plugin on millions of websites, and now there is a bug.

WordPress took the rare step of forcing the UpdraftPlus plugin to update on all websites to fix a high-risk vulnerability, allowing website subscribers to download the latest database backups, which often contain credentials and PIIs.

Three million websites use the popular WordPress plugin, so the potential for exploitation was great, affecting a large part of the Internet, including the major platforms.

The vulnerability affects UpdraftPlus versions 1.16.7 through 1.22.2, and the developers patched it with 1.22.3 or 2.22.3 for Premium (paid).

The flaw was discovered by security researcher  Marc Montpas of Automattic  and was tracked as  CVE-2022-0633 and has  a CVSS v3.1 score of 8.5.

UpdraftPlus helps simplify the backup and restore process with scheduled backup jobs and the option to automatically download to a trusted email address.

However, due to bugs in the plugin, any low-level authenticated user can create a valid link that allows them to download files.

WordPress Forced UpdraftPlus

The flaw was discovered on February 14, 2022 and UpdraftPlus was immediately notified, while technical details followed the next day.

The response from the developers of the popular plugin was almost immediate, and on February 16, 2022, WordPress began updating installations to version 1.22.3.

The problem is incorrect validation of the user whether or not they have the necessary privileges to access the unavailable identifier and backup timestamps.

The attack begins by sending a heartbeat request containing a "data" parameter to get information about the most recent backup.

Armed with this information, the attacker triggers the "email backup" function after the endpoint request is processed.

This role is usually limited to administrators only, but anyone with an account on the target site can access it without restrictions since there is no permission check.

Of course, the attacker needs to know how to download database backups, and for now, Updraft reports that it has not seen such cases in the wild.

“For now, it (the PoC appearance) is up to the hacker to reverse engineer changes in the latest version of UpdraftPlus to solve this problem.” - Updraft.

As mentioned in Automattic 's report , some indirect checks were still present in vulnerable versions of the plugin, but it's not enough to stop a skilled attacker.

According to WordPress download stats for this plugin, 783,000 installs were updated on the 16th and an additional 1.7 million were updated on the 17th.

Montbass told Bleeping Computer that this is one of those very rare and exceptionally dangerous cases where WordPress forces automatic updates to all sites, regardless of their administrator settings.

If you want to immediately upgrade to the secure version, you can manually apply the security update from the dashboard. The latest version available today is 1.22.4, so this is the recommended version to use.

Note that this vulnerability does not pose any risk to websites that do not support user logins of any kind or do not keep any backups.