CVE-2022-0633
published 2022-02-17CVE-2022-0633: The UpdraftPlus WordPress plugin Free before 1.22.3 and Premium before 2.22.3 do not properly validate a user has the required privileges to access a backup's…
PriorityP278medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
ITWVulnCheck KEV
Exploited in the wild
EPSS
1.98%
78.0th percentile
The UpdraftPlus WordPress plugin Free before 1.22.3 and Premium before 2.22.3 do not properly validate a user has the required privileges to access a backup's nonce identifier, which may allow any users with an account on the site (such as subscriber) to download the most recent site & database backup.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| updraftplus | updraftplus | < 1.22.3 | 1.22.3 |
| updraftplus | updraftplus | < 2.22.3 | 2.22.3 |
| updraftplus | updraftplus_wordpress_backup_plugin | >= 1.22.3 < 1.22.3 | 1.22.3 |
| updraftplus | updraftplus_wordpress_backup_plugin | >= 2.22.3 < 2.22.3 | 2.22.3 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
vulncheck6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-w56x-f43j-rgx4: The UpdraftPlus WordPress plugin Free before 1
ghsa_unreviewed·2022-02-18
CVE-2022-0633 [MEDIUM] CWE-863 GHSA-w56x-f43j-rgx4: The UpdraftPlus WordPress plugin Free before 1
The UpdraftPlus WordPress plugin Free before 1.22.3 and Premium before 2.22.3 do not properly validate a user has the required privileges to access a backup's nonce identifier, which may allow any users with an account on the site (such as subscriber) to download the most recent site & database backup.
VulnCheck
updraftplus updraftplus Incorrect Authorization
vulncheck·2022·CVSS 6.5
CVE-2022-0633 [MEDIUM] updraftplus updraftplus Incorrect Authorization
updraftplus updraftplus Incorrect Authorization
The UpdraftPlus WordPress plugin Free before 1.22.3 and Premium before 2.22.3 do not properly validate a user has the required privileges to access a backup's nonce identifier, which may allow any users with an account on the site (such as subscriber) to download the most recent site & database backup.
Affected: updraftplus updraftplus
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.wordfence.com/threat-intel/vulnerabilities/detail/updraftplus-wordpress-backup-plugin-1223-sensitive-information-disclosure
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/166059/WordPress-UpdraftPlus-1.22.2-Backup-Disclosure.htmlhttps://jetpack.com/2022/02/17/severe-vulnerability-fixed-in-updraftplus-1-22-3/https://updraftplus.com/updraftplus-security-release-1-22-3-2-22-3/https://wpscan.com/vulnerability/d257c28f-3c7e-422b-a5c2-e618ed3c0bf3http://packetstormsecurity.com/files/166059/WordPress-UpdraftPlus-1.22.2-Backup-Disclosure.htmlhttps://jetpack.com/2022/02/17/severe-vulnerability-fixed-in-updraftplus-1-22-3/https://updraftplus.com/updraftplus-security-release-1-22-3-2-22-3/https://wpscan.com/vulnerability/d257c28f-3c7e-422b-a5c2-e618ed3c0bf3
2022-02-17
Published
Exploited in the wild