In the past few days, millions of WordPress sites have been automatically upgraded to the latest version of the UpdraftPlus plugin, in order to overcome the critical bug found in it.
The problem that has arisen allows all registered users of the site to download the database.
Thus, millions of sites are subject to data theft(usernames, passwords, IP addresses, possibly credit card numbers).
UpdraftPlus is a plugin that enables automated backup and recovery of WordPress site databases and is one of the most popular tools for this purpose.
It has been installed on more than three million sites that are becoming vulnerable to this security flaw.
The error is very easy to exploit, because even registered users with the lowest level of privileges, such as subscribers or customers, get the opportunity to back up the database from the site.
The problem was found by the company Jetpack, which deals with site security.
It was discovered during a plugin check, and details were forwarded to UpdraftPlus developers immediately. The next day, a patch appeared, and since then a forced update has started.
Statistics show that the update has been performed on more than 1.7 million sites so far, and it is expected that all sites with this plugin will be updated in the next few days.