An oversight in WordPress plug-in has exposed PII and malicious internal verification data.
The WordPress plug-in “UpdraftPlus” was also updated on Wednesday to fix the vulnerability that left critical backups at risk, which may disclose personal information and verification data. UpdraftPlus is a tool for creating, restoring and moving backups of WordPress files, databases, plug-ins and themes. According to its website, UpdraftPlus is used by more than three million WordPress websites, including those from organizations such as Microsoft, Cisco and NASA.
According to a security report submitted by UpdraftPlus on Wednesday, the zero date allowed “any user who logged into WordPress with active UpdraftPlus to exercise the right to download an existing repository, a right that should be limited to administrative users only.