A vulnerability has been discovered in UpdraftPlus, a popular WordPress plugin used for backup and migration tasks, potentially exposing millions of websites to attacks. The flaw, tracked as CVE-2024-10957, affects all versions up to 1.24.11 and allows unauthenticated attackers to exploit PHP Object Injection vulnerabilities, provided certain conditions are met. A patch addressing the issue was released on January 4, 2025, with version 1.24.12.
UpdraftPlus is a widely used WordPress plugin designed to back up and migrate websites, making it easier for administrators to secure their data or transfer it between hosting platforms. It boasts over three million active installations, ranging from small personal blogs to large-scale commercial websites. The plugin’s utility and broad adoption make it a prime target for exploitation when vulnerabilities arise.
Flaw details and impact
The vulnerability lies in the recursive_unserialized_replace function, which improperly handles deserialized input, opening the door to PHP Object Injection. Although the exploit cannot operate autonomously, attackers could inject a malicious PHP object if a separate vulnerable plugin or theme introduces a “POP chain” (Property-Oriented Programming chain).
A POP chain is a sequence of exploitable code paths that allow injected objects to perform harmful operations. In this case, while UpdraftPlus itself does not contain a POP chain, the presence of other insecure plugins or themes on the target site could enable attackers to:
- Execute arbitrary code, potentially gaining control over the website.
- Delete critical files, causing site functionality to break.
- Retrieve sensitive data, leading to data breaches or privacy violations.
The exploit requires an administrator to perform a search-and-replace operation using the plugin’s interface, which triggers the deserialization process. This means the vulnerability’s activation depends on both an attacker’s input and the specific actions of a site administrator, slightly reducing its severity. However, given the high number of installations and the extensive use of plugins on WordPress sites, the risk remains significant.
The vulnerability carries a CVSS score of 8.8, classified as High. While it requires certain conditions—such as a second vulnerable plugin/theme and an administrative action—to fully exploit, the potential repercussions make it dangerous.
Recommendations for mitigation
Users of UpdraftPlus should update to version 1.24.12 or later, as this version includes a fix for the vulnerability. In addition to upgrading to the latest version, website administrators should conduct a thorough review of all plugins and themes installed on their sites, removing or updating any that are outdated or known to be insecure.
Administrators should generally avoid running search-and-replace functions unnecessarily, and enable a Web Application Firewall (WAF) which can block exploitation attempts by filtering malicious input targeting the site.
Discord Users Targeted by Fake Game Sites Spreading Info-Stealers
> A patch addressing the issue was released on January 4, 2025, with version 1.24.12.
UpdraftPlus Version 1.24.12 was released on December 23rd 2024, as per the changelog on the WordPress plugins page.
> “The flaw, tracked as CVE-2024-10957, affects all versions up to 1.24.11”
It affects versions from 1.23.8 onwards, as per the 1.23.8 changelog item before which search-and-replace was not in the plugin.
It could also be noted that successful exploitation, as well as the things listed in the article, also requires the attacker to be able to publish content on the site, and for the site owner to allow it to remain before doing the search/replace.
To my knowledge, no WordPress security company has ever published finding any sample of code that would fulfil the conditions for the pre-condition of the second vulnerable plugin/theme that has to be installed. Have you ever seen a PHP object destructor in a WordPress plugin that allows running of arbitrary code? I never have, and I’d be interested to hear from someone who has.
So, whilst this was a code issue to fix (and more than half the total of sites did not have this code by the time this piece was published), it wasn’t in reality a very interesting one. It’s quite possible that there are literally precisely zero sites that could be theoretically affected. The fact that the CVSS scoring system gives an 8.8 because of its requirement to assume nuclear worst-case scenarios is related to the fact that we could do with a scoring system that was designed for WordPress and better reflects actual risk in realistic scenarios.
Thank you.