A critical vulnerability has been discovered in UpdraftPlus, a widely used backup plugin for WordPress, and is currently being actively targeted by cyberattacks. This vulnerability could allow unauthenticated attackers to bypass administrator privileges and execute arbitrary code (RCE) on the server, requiring urgent action. Over 3 million WordPress sites are exposed to this threat, with thousands of attack attempts confirmed in the last 24 hours alone.
Vulnerability Overview and Scope of Impact
This vulnerability exists in UpdraftPlus plugin versions 1.26.4 and earlier. Sites with the 'Migrator Key' (a premium feature) enabled are particularly affected. By exploiting an authentication bypass in a specific plugin function, attackers can impersonate remote commands without authentication and act as an administrator. This could lead to the upload and activation of malicious plugins, and ultimately remote code execution on the web server.
If the vulnerability is exploited, the site could be completely compromised, leading to a wide range of severe damages such as data theft, tampering, malware injection, and web shell deployment.
Specific Impacts and Attack Scenarios
Attackers bypass UpdraftPlus's authentication process by sending specially crafted requests. If successful, attackers can hijack administrator privileges on the WordPress site and upload and activate a malicious WordPress plugin containing arbitrary PHP code. This creates a backdoor to the server, granting attackers persistent access and full control. According to Wordfence, 8,172 attacks targeting this vulnerability have been blocked in the past 24 hours, confirming active exploitation.
Actions Engineers Should Take Immediately
The most crucial action is to **immediately update the UpdraftPlus plugin to version 1.26.5 or later**. The UpdraftPlus developers have already released a patch addressing this vulnerability. If automatic updates are disabled, or if immediate updates are difficult for any reason, consider the following mitigation measures:
nginxの設定でWordPressの管理ディレクトリへのアクセスを制限する例:
location ^~ /wp-admin/ {
# 信頼できるIPアドレスからのアクセスのみを許可
allow XXX.XXX.XXX.XXX; # あなたのIPアドレスに置き換える
deny all;
# PHPファイルの実行を制限(必要に応じて)
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock; # PHP-FPMのソケットパスは環境に合わせて変更
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
}
This Nginx configuration helps restrict access to the `/wp-admin/` directory to specific IP addresses, blocking malicious access. Additionally, if you have a WAF (Web Application Firewall) in place, strengthening rules to detect and block unknown unauthorized request patterns is also effective.
📦