CVE-2023-32960: CSRF Flaw in WordPress UpdraftPlus Plugin with three million active installations

In a recent turn of events, Rafie Muhammad from Patchstack stumbled upon a critical vulnerability CVE-2023-32960 (with a CVSS score of 7.1), in WordPress’s beloved backup plugin, UpdraftPlus. This ubiquitous tool, which counts over three million active installations worldwide, simplifies backups and restoration, offering integration with popular cloud storage solutions like Dropbox, Google Drive, and Amazon S3, to name a few.


CVE-2023-32960: A CSRF Vulnerability

What lurks beneath the seemingly secure exterior of UpdraftPlus (versions 1.23.3 and below, free version) is a Cross-Site Request Forgery (CSRF) vulnerability. A CSRF attack essentially forces a higher privileged user into performing actions they didn’t intend to, all under their current authentication. It’s like a digital puppeteer pulling at the strings of unsuspecting users.

This vulnerability could lead to a more insidious Stored Site-Wide Cross-Site Scripting (XSS) attack on the wp-admin area. In this scenario, any unauthenticated user could potentially steal sensitive information or escalate their privileges on the WordPress site by tricking a privileged user to visit a meticulously crafted malicious WordPress URL. A solitary visit is all it would take to trigger a Site-Wide XSS, making it a threat not to be taken lightly.

The offending code lurks in the `build_authentication_link` function, which constructs and returns an authentication link for a specific backup method. The `instance_id` variable is directly incorporated into the HTML without adequate sanitization, leaving it open to exploitation.

methods/backup-module.php, function build_authentication_link

public function build_authentication_link($instance_id, $text) {

$id = $this->get_id();

return '<a class="updraft_authlink" href="'.UpdraftPlus_Options::admin_page_url().'?&action=updraftmethod-'.$id.'-auth&page=updraftplus&updraftplus_'.$id.'auth=doit&updraftplus_instance='.$instance_id.'" data-instance_id="'.$instance_id.'" data-remote_method="'.$id.'">'.$text.'</a>';

An Unexpected Condition: The Dropbox Connection

Interestingly, the vulnerability could only be triggered under a specific condition – the WordPress site must have chosen Dropbox as its remote storage option. Additionally, the CSRF attack can typically only be triggered from an account with administrator role privileges.

Safeguarding Your WordPress Website: The Fix

Luckily, this vulnerability has been patched in the latest version of UpdraftPlus (1.23.4). It’s a testament to the tireless efforts of cybersecurity professionals who are constantly on the hunt for potential exploits and quickly devise countermeasures.

In the wake of this discovery, it’s advisable for users to update their UpdraftPlus plugin to version 1.23.4 promptly. Regular updates of all software are a crucial aspect of cybersecurity, as they often include fixes for vulnerabilities like these.