Millions of WordPress sites have received a forced patch over the past few days, Ars Technica has reported. The reason is a vulnerability in UpdraftPlus, a popular plugin that allows users to create and restore website backups. UpdraftPlus developers requested the mandatory patch, as the vulnerability would allow anyone with an account to download a website’s entire database.
The bug was discovered by Jetpack security researcher Marc Montpas during a security audit of the plugin. “This bug is pretty easy to exploit, with some very bad outcomes if it does get exploited,” he told Ars Technica. “It made it possible for low-privilege users to download a site’s backups, which include raw database backups.”
He told UpdraftPlus developers about the bug on Tuesday last week, they fixed it a day later and started force-installing the patch shortly after that. 1.7 million sites had…
