WordPress UpdraftPlus plugin is vulnerable to a high-severity PHP object injection vulnerability. Tracked as CVE-2024-10957, the vulnerability may allow an unauthenticated attacker to delete arbitrary files, retrieve sensitive data, or execute code. According to WordPress, more than 3 million websites worldwide use the plugin.
UpdraftPlus is among the most popular scheduled backup and migration plugins. The plugin allows users to return to their preferred storage location and restore it in just three clicks. The plugin will enable users to schedule manually or run every 2, 4, 8, or 12 hours, daily, weekly, monthly or fortnightly.
Vulnerability Details
The deserialization of untrusted input exists in the recursive_unserialized_replace function. Successful exploitation of the vulnerability may allow an unauthenticated attacker to inject a PHP Object.
An administrator must perform a search and replace action to exploit the vulnerability. The vulnerable software contains no known POP chain. If a POP chain is present via an additional plugin or theme installed on the target system, t the attacker could delete arbitrary files, retrieve sensitive data, or execute code.
Affected versions
The vulnerability affects UpdraftPlus: WP Backup & Migration Plugin versions prior to 1.24.11.
Mitigation
Customers must upgrade to the UpdraftPlus: WP Backup & Migration Plugin version 1.24.12 to patch the vulnerability.
For more information about the mitigation, please refer to WordPress Security Advisory.
Qualys Detection
Qualys customers can scan their devices with QID 732150 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
