CVE-2022-0633

Name of the Vulnerable Software and Affected Versions UpdraftPlus versions 1.16.7 through 1.22.2 UpdraftPlus version 1.22.3 is the fixed version for the free version, and 2.22.3 is the fixed version for the premium version.

Description The issue is related to the improper validation of user privileges to access a backup's nonce identifier. This may allow any users with an account on the site to download the most recent site and database backup, potentially exposing sensitive information such as user parameters and password hashes. The vulnerability affects over 3 million sites and may allow unauthorized users to gain access to the site's database, potentially leading to a site takeover.

Recommendations For UpdraftPlus versions 1.16.7 through 1.22.2, update to version 1.22.3 or later for the free version. For UpdraftPlus premium versions prior to 2.22.3, update to version 2.22.3 or later. As a temporary workaround, consider restricting access to the backup functionality until a patch is applied.