A serious security vulnerability has been discovered in UpdraftPlus, one of WordPress's most popular backup and migration plugins, putting millions of websites at potential risk. The flaw affects all versions up to 1.24.11 of the plugin, which is actively used on over 3 million WordPress installations worldwide.
The vulnerability, identified as CVE-2024-10957, centers on a PHP Object Injection weakness in the plugin's recursive_unserialized_replace function. While the flaw cannot be exploited on its own, it becomes dangerous when combined with other vulnerable plugins or themes that contain what security experts call a "POP chain" (Property-Oriented Programming chain).
When exploited successfully, attackers could potentially:
- Execute malicious code and take control of websites
- Remove critical system files
- Access and steal sensitive data
The security issue received a "High" severity rating with a CVSS score of 8.8. For an attack to succeed, it requires specific conditions - namely the presence of another vulnerable plugin/theme and an administrator performing a search-and-replace operation through UpdraftPlus.
"This vulnerability highlights how seemingly minor flaws can cascade into major security risks when plugins interact," said a security researcher familiar with the issue. "Website owners need to stay vigilant about updates across their entire WordPress installation."
UpdraftPlus has released version 1.24.12 which patches the vulnerability. Website administrators are strongly advised to:
- Update to UpdraftPlus version 1.24.12 or later immediately
- Review and update all installed plugins and themes
- Minimize use of search-and-replace operations
- Consider implementing a Web Application Firewall
The discovery serves as a reminder of the complex security challenges faced by WordPress site owners, particularly those running multiple plugins and themes.