Overview
The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.24.11 via deserialization of untrusted input in the ‘recursive_unserialized_replace’ function. This makes it possible for unauthenticated attackers to inject a PHP Object.
Affected Plugin: UpdraftPlus: WP Backup & Migration Plugin Version <= 1.24.11
The UpdraftPlus Backup & Migration Plugin is trusted by the WordPress community to backup, restore and migrate their WordPress websites. UpdraftPlus is actively installed on more than 3 million websites around the world.
Preventive Measures
To protect your WordPress website from similar vulnerabilities in the future, consider the following best practices:
- Regularly update all plugins, themes, and WordPress core files. Vulnerabilities are often discovered and patched in subsequent updates.
- Implement privilege access by ensuring that only authorised users have access to sensitive site functionality like file management.
- Use two-factor authentication (2FA) for logging in to the WordPress admin area.
- Consider using manual file management through secure FTP instead of relying on file management plugins with web-based access.
Conclusion
The WP Backup & Migration plugin has been patched. It is advised to update to version 1.24.12, or a newer patched version.
For more information on WordPress security and steps to protect your site, feel free to reach out on our contact page or feel free to book a discovery call