WordPress is forcibly rolling out an update to the popular backup plugin UpdraftPlus. Websites with the plugin were found to contain a vulnerability that allowed unauthorized users to download recent backups.
These are the mandatory UpdraftPlus updates 1.22.3 and 2.22.3 for users of the free and paid versions of the plug-in, respectively. After installation, it is no longer possible for unauthorized users to access backups, plug-in manager Jetpack describes in a blog post.
WordPress rarely forces an update, but due to the severity of the vulnerability, the update was installed to 3 million users within days, according to Bleeping Computer. Nevertheless, according to UpdraftPlus, due to the complicated process of obtaining a backup without authorization, no known hacks have been performed.
The vulnerability in UpdraftPlus allowed users to send a heartbeat request to a website, after which important data about recent backups could be obtained. A link could then be generated based on this data. This link instructed UpdraftPlus to send the affected backup via email to the unauthorized hacker.