Cross-Site Request Forgery Vulnerability in UpdraftPlus Backup Plugin for WordPress
CVE-2023-5982

5.4MEDIUM

Key Information:

Vendor: Wordpress
Status: UpdraftPlus: WordPress Backup & Migration Plugin
Vendor: CVE Published:; 7 November 2023

Summary

The UpdraftPlus Backup & Migration plugin for WordPress is affected by a Cross-Site Request Forgery vulnerability due to inadequate nonce validation and insufficient verification of the instance_id in the 'updraftmethod-googledrive-auth' action. An unauthenticated attacker can trick a site administrator into clicking a malicious link, enabling them to alter the Google Drive backup destination. This could lead to the attacker receiving backups that may contain sensitive site information, putting the site's security at significant risk.

Affected Version(s)

UpdraftPlus: WordPress Backup & Migration Plugin * <= 1.23.10

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/2989669/updr...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Nov 7, 2023
Vulnerability Reserved
Nov 7, 2023

Credit

Nicolas Decayeux