The mandatory patch addressed a critical vulnerability in a widely used plugin that allowed untrusted visitors to download a website's backups.
, a trusted source for technology news, tech policy analysis, reviews, and more. Ars is owned by WIRED's parent company, Condé Nast.vulnerability
, which allows untrusted subscribers, customers, and others to download the site’s private database as long as they have an account on the vulnerable site. Databases frequently include sensitive information about customers or the site’s security settings, leaving millions of sites susceptible to seriousUpdraftPlus simplifies the process of backing up and restoring website databases and is the internet’s most widely used scheduled backup plugin for the WordPress content management system.
“This bug is pretty easy to exploit, with some very bad outcomes if it does get exploited,” said Marc Montpas, the security researcher who discovered the vulnerability and privately reported it to the plugin developers. “It made it possible for low-privilege users to download a site's backups, which include raw database backups. Low-privilege accounts could mean a lot of things. Regular subscribers, customers , etc.
Montpas, a researcher at website security firm Jet, said he found the vulnerability during a security audit of the plugin and provided details to UpdraftPlus developers on Tuesday. A day later, the developers published a fix and agreed to force-install it on WordPress sites that had the plugin installed.that 1.7 million sites received the update on Thursday, and more than 287,000 more had installed it as of press time. WordPress says the plugin has 3+ million users.
This means that if your WordPress site allows untrusted users to have a WordPress login, and if you have any existing backup, then you are potentially vulnerable to a technically skilled user working out how to download the existing backup. Affected sites are at risk of data loss / data theft via the attacker accessing a copy of your site’s backup, if your site contains anything non-public.
Deutschland Neuesten Nachrichten, Deutschland Schlagzeilen
Similar News:Sie können auch ähnliche Nachrichten wie diese lesen, die wir aus anderen Nachrichtenquellen gesammelt haben.
After getting waterfront ballpark milestone, A’s messaging to Bay Area, Las Vegas differCertification a “milestone” — but was it “significant” or “necessary, but not sufficient” for A’s?
Weiterlesen »
Oakland A’s waterfront ballpark plan reaches a milestone as council certifies environmental reportThe council voted after an hours-long discussion Thursday evening in a 6-2 vote to certify the environmental impact report, a requirement under state law to establish that the city is sufficiently …
Weiterlesen »
Oakland City Council certifies EIR for A's Howard Terminal ballpark proposal
Weiterlesen »
Personal-injury lawyer who stole millions from settlements gets 12 years in prisonPhilip James Layfield, 48, aka Philip Samuel Pesin, was found guilty in August on 23 charges, including 19 counts of felony wire fraud.
Weiterlesen »
Paramount Is Finally Getting Serious About the Streaming FutureParamount is signaling that it's now fully committed to being a participant in the streaming wars. TVMoJoe writes
Weiterlesen »