CVE-2017-16871

Name of the Vulnerable Software and Affected Versions UpdraftPlus plugin versions 1.13.12 and earlier

Description The issue allows remote PHP code execution due to a race condition in the plupload action function before deleting a file associated with the name parameter in /wp-content/plugins/updraftplus/admin.php. The vendor reports that this does not cross a privilege boundary.

Recommendations For UpdraftPlus plugin versions 1.13.12 and earlier, update to a version later than 1.13.12 to resolve the issue. As a temporary workaround, consider restricting access to the plupload action function in /wp-content/plugins/updraftplus/admin.php to minimize the risk of exploitation. Avoid using the name parameter in the affected API endpoint until the issue is resolved.