Cross-Site Request Forgery Vulnerability in UpdraftPlus Backup Plugin for WordPress
CVE-2023-5982

5.4MEDIUM

Key Information:

Vendor

WordPress
Status
Updraftplus: WordPress Backup & Migration Plugin
Vendor
CVE Published:
7 November 2023

What is CVE-2023-5982?

The UpdraftPlus Backup & Migration plugin for WordPress is affected by a Cross-Site Request Forgery vulnerability due to inadequate nonce validation and insufficient verification of the instance_id in the 'updraftmethod-googledrive-auth' action. An unauthenticated attacker can trick a site administrator into clicking a malicious link, enabling them to alter the Google Drive backup destination. This could lead to the attacker receiving backups that may contain sensitive site information, putting the site's security at significant risk.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

UpdraftPlus: WordPress Backup & Migration Plugin * <= 1.23.10

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/changeset/2989669/updr...

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Nicolas Decayeux
JSON
.