CVE-2023-5982
published 2023-11-07CVE-2023-5982: The UpdraftPlus: WordPress Backup & Migration Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including…
PriorityP423medium5.4CVSS 3.1
AVNACLPRNUIRSUCLILAN
EPSS
0.22%
12.2th percentile
The UpdraftPlus: WordPress Backup & Migration Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.23.10. This is due to a lack of nonce validation and insufficient validation of the instance_id on the 'updraftmethod-googledrive-auth' action used to update Google Drive remote storage location. This makes it possible for unauthenticated attackers to modify the Google Drive location that backups are sent to via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This can make it possible for attackers to receive backups for a site which may contain sensitive information.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| davidanderson | updraftplus_wp_backup_migration_plugin | <= 1.23.10 | — |
| updraftplus | updraftplus | <= 1.23.10 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
UpdraftPlus Plugin up to 1.23.10 on WordPress Google Drive Storage Update cross-site request forgery (ID 2989669)
vuldb·2026-04-11·CVSS 5.4
CVE-2023-5982 [MEDIUM] UpdraftPlus Plugin up to 1.23.10 on WordPress Google Drive Storage Update cross-site request forgery (ID 2989669)
A vulnerability categorized as problematic has been discovered in UpdraftPlus Plugin up to 1.23.10 on WordPress. Affected is an unknown function of the component Google Drive Storage Update. Executing a manipulation can lead to cross-site request forgery.
This vulnerability is tracked as CVE-2023-5982. The attack can be launched remotely. No exploit exists.
GHSA
GHSA-844v-m9qm-pqr2: The UpdraftPlus: WordPress Backup & Migration Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and inclu
ghsa_unreviewed·2023-11-07
CVE-2023-5982 [MEDIUM] CWE-352 GHSA-844v-m9qm-pqr2: The UpdraftPlus: WordPress Backup & Migration Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and inclu
The UpdraftPlus: WordPress Backup & Migration Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.23.10. This is due to a lack of nonce validation and insufficient validation of the instance_id on the 'updraftmethod-googledrive-auth' action used to update Google Drive remote storage location. This makes it possible for unauthenticated attackers to modify the Google Drive location that backups are sent to via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This can make it possible for attackers to receive backups for a site which may contain sensitive information.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/changeset/2989669/updraftplus/tags/1.23.11/class-updraftplus.phphttps://www.wordfence.com/threat-intel/vulnerabilities/id/e1be11c5-0a44-4816-b6bf-d330cb51dbf3?source=cvehttps://plugins.trac.wordpress.org/changeset/2989669/updraftplus/tags/1.23.11/class-updraftplus.phphttps://www.wordfence.com/threat-intel/vulnerabilities/id/e1be11c5-0a44-4816-b6bf-d330cb51dbf3?source=cve
2023-11-07
Published