A dangerous vulnerability (CVE-3-2022) has been identified in the UpdraftPlus WordPress add-on, which has more than 0633 million active installations, allowing a third-party user to download a copy of the site's database, which, in addition to content, contains all user settings and password hashes. The issue has been fixed in releases 1.22.3 and 2.22.3, which is recommended for all UpdraftPlus users to install as soon as possible.
UpdraftPlus is touted as the most popular add-on for backing up websites running on the WordPress platform. Due to incorrect check of access rights, the add-on made it possible to download a backup copy of the site and the database associated with it, not only to administrators, but also to any user registered on the site, for example, having the status of a subscriber.
To upload backups, UpdraftPlus uses an identifier generated based on the time the backup was created and a random sequence (nonce). The problem is that due to the lack of proper checks in the WordPress heartbeat request handler, with a specially crafted request, any user can get information about the latest backup, which includes information about the time and the associated random sequence.
Then, based on the information received, you can generate an identifier and download a backup copy using the email download method. The maybe_download_backup_from_email function used in this method requires access to the options-general.php page, which is accessible only to the administrator. However, an attacker can get around this limitation by spoofing the $pagenow variable used in the validation and sending the request through a service page that allows unprivileged users to access it. For example, you can contact the admin post page by sending a request in the form "wp-admin/admin-post.php/%0A/wp-admin/options-general.php?page=updraftplus".
Source: opennet.ru