First published: Thu Feb 17 2022(Updated: )
The UpdraftPlus WordPress plugin Free before 1.22.3 and Premium before 2.22.3 do not properly validate a user has the required privileges to access a backup's nonce identifier, which may allow any users with an account on the site (such as subscriber) to download the most recent site & database backup.
Credit: contact@wpscan.com
Affected Software | Affected Version | How to fix |
---|---|---|
Updraftplus Updraftplus | <1.22.3 | |
Updraftplus Updraftplus | <2.22.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2022-0633.
The severity of CVE-2022-0633 is medium with a CVSS score of 6.5.
The UpdraftPlus WordPress plugin Free before 1.22.3 and Premium before 2.22.3 are affected by CVE-2022-0633.
An attacker can download the most recent site and database backups without proper privileges.
To fix CVE-2022-0633, update to UpdraftPlus Free 1.22.3 or UpdraftPlus Premium 2.22.3.