Blog maker

WordPress backup plugin maker Updraft says “You should update”… – Naked Security

WordPress plugins should be kept up to date as carefully as WordPress itself…

…especially if these plugins are designed to help you manage all of your WordPress site data.

That’s why we thought we’d write about a recent warning from the creators of Ancestry and Updraft Morewhich are respectively free and premium plugins dedicated to backing up, restoring and cloning WordPress sites.

As you can imagine, a security bug in a backup plugin that could allow an attacker to download a site backup without permission means, in theory, that your entire site, and all the data on it accompany, could end up being stolen all at once.

It is apparently the nature of CVE-2022-23303a bug found and reported in the Updraft plugin by a security researcher at Automattic, the company behind the WordPress brand.

You can check the connection between WordPress and Automattic from this site: we are hosted by WordPress VIP [2022-02-22]as you can see by looking at the headers of our web responses (X-Powered-By: WordPress VIP ); then by seeking the administrative and technical contacts of the wpvip.com domain in the Whois database (Admin and Tech Org: Automattic, Inc.).

High quality response

In fact, as well as acting as a gentle reminder to Updraft users to make sure they’re up to date (at the time of writing: 1.22.4 for the free version; 2.22.4 for Premium users), we thought we’d cover this patch as a positive example of how to deal with a cyber security flaw.

In our opinion, Updraft has understood several important things in the update bulletin that it published on his blog:

  • The report was timely. The fix was available and written within two days of responsible bug disclosure by Automattic.
  • The report did not mince words. The opening paragraph states, “The short version is: you need to update. For the details, read on.
  • The report described the bug in plain language and was clear about the risk posed. Simply put, any authorized user of your site, even one who typically only uploads articles for editing and approval by others, might be able to clone your entire site, including getting rid of all your non-public data.
  • The company issued a credible apology. Rather than starting with weary words about the bug not being in the wild, or disparaging it by pointing out that it didn’t allow completely unauthenticated access, the report first explained the situation, reiterated the importance of the update anyway and presented his seemingly sincere regret at the end.
  • The report was written by a knowledgeable person. Rather than leaving published verbiage to PR or marketing, the report was written by one of Updraft’s core developers.

Try reading our satirical take on data breach notifications, written as a humorous article a few years ago, and then compare it with Update Security Report.

We think you’ll agree that following up on a cybersecurity error by telling the simple truth in plain English is not only really helpful, but also more likely to persuade your customers to trust you in the future.

If nothing else, an open and explanatory safety report shows that you actually learned something positive from the incident, and thus reinforces any assertions you could make to do better next time.

What to do?

  • If you are an Updraft or Updraft Premium user, make sure you have at least the version 1.22.4 Where 2.22.4 respectively. Even if you consider yourself low risk because you have few or no unprivileged users to worry about, upgrade anyway. As Updraft correctly points out, although an active attack depends on “a hacker reverse-engineering changes made to the latest [..] release to get there, […] you certainly shouldn’t expect it to take long, but you should update immediately.
  • If you manage your own website, whether it’s WordPress-based or not, practice how to react if you encounter a data-threatening bug like this. Preparing how you would react if you failed is not the same as simply preparing to fail. In fact, being aware of the work you would have to do in the event of a critical bug or data breach is a good incentive to learn how to defend against such issues in the first place.