A newly discovered vulnerability in the UpdraftPlus Backup & Migration Plugin, used by over 3 million WordPress websites globally, has raised significant security concerns. Identified as CVE-2024-10957 and assigned a CVSS score of 8.8, the flaw could allow unauthenticated attackers to exploit PHP Object Injection vulnerabilities under certain conditions.
The vulnerability resides in the recursive_unserialized_replace function, which improperly handles the deserialization of untrusted input. While no known PHP Object POP (Property-Oriented Programming) chain exists in the plugin itself, the presence of additional vulnerable plugins or themes on the affected WordPress installation could enable attackers to:
- Delete arbitrary files.
- Access sensitive data.
- Execute arbitrary code.
Importantly, this exploit requires an administrator to perform a search-and-replace operation within the plugin to trigger the malicious payload.
Security researcher Webbernaut has been credited with identifying and responsibly disclosing the CVE-2024-10957 flaw.
This vulnerability affects all versions of UpdraftPlus up to and including 1.24.11. Given the plugin’s widespread adoption, a vast number of WordPress sites could be at risk if corrective measures are not promptly implemented.
What could have happened?
Successful exploitation of this vulnerability could have had severe consequences, potentially allowing attackers to:
- Delete critical website files: Disrupting the website’s functionality or even taking it offline completely.
- Steal sensitive data: Accessing confidential information such as user credentials, database details, or financial records.
- Execute arbitrary code: Taking complete control of the website and using it for malicious purposes like distributing malware or launching further attacks.
Urgent Action Required
The UpdraftPlus team has addressed this vulnerability in version 1.24.12. All users are strongly urged to update their plugin to this version immediately.
