CVE-2023-5982

Name of the Vulnerable Software and Affected Versions UpdraftPlus: WordPress Backup & Migration Plugin versions up to, and including, 1.23.10

Description The issue is related to Cross-Site Request Forgery due to a lack of nonce validation and insufficient validation of the instance id on the 'updraftmethod-googledrive-auth' action. This allows unauthenticated attackers to modify the Google Drive location where backups are sent by tricking a site administrator into performing an action, potentially giving attackers access to sensitive information.

Recommendations For versions up to, and including, 1.23.10, update to a version that includes nonce validation and proper instance id validation for the 'updraftmethod-googledrive-auth' action to prevent Cross-Site Request Forgery attacks. As a temporary workaround, consider restricting access to the 'updraftmethod-googledrive-auth' action to minimize the risk of exploitation.