UpdraftPlus: WordPress Backup & Migration Plugin

Software Type	Plugin
Software Slug	updraftplus (view on wordpress.org)
Software Status	Active
Software Author	davidanderson
Software Website	updraftplus.com
Software Downloads	110,828,104
Software Active Installs	3,000,000
Software Record Last Updated	December 7, 2023

14 Vulnerabilities

UpdraftPlus <= 1.23.10 - Cross-Site Request Forgery to Google Drive Storage Update

5.4

CVE-2023-5982

Nov 7, 2023

Researcher: Nicolas Decayeux

UpdraftPlus <= 1.23.3 - Cross-Site Request Forgery to Cross-Site Scripting via action_authenticate_storage

6.1

CVE-2023-32960

May 18, 2023

Researcher: Rafie Muhammad

UpdraftPlus 1.22.14 to 1.23.2 and UpdraftPlus (Premium) 2.22.14 to 2.23.2 - Privilege Escalation via updraft_central_ajax_handler

8.8

CVE ID Unknown

Mar 16, 2023

Researchers:

Updraft Plus <= 1.22.24 - Information Disclosure via updraft_ajaxrestore

5.3

CVE ID Unknown

Mar 8, 2023

Researchers:

UpdraftPlus WordPress Backup Plugin < 1.22.9 Reflected Cross-Site Scripting

6.1

CVE-2022-0864

Apr 7, 2022

Researcher: Taurus Omar

UpdraftPlus WordPress Backup Plugin < 1.22.3 - Sensitive Information Disclosure

6.5

CVE-2022-0633

Feb 17, 2022

Researcher: Marc-Alexandre Montpas

UpdraftPlus WordPress Backup Plugin <= 1.16.68 - Reflected Cross-Site Scripting via updraft_restore

6.1

CVE-2021-25089

Dec 28, 2021

Researcher: ZhongFu Su

UpdraftPlus WordPress Backup Plugin <= 1.16.65 - Reflected Cross-Site Scripting

6.1

CVE-2021-25022

Dec 6, 2021

Researcher: Krzysztof Zając

UpdraftPlus < 1.16.59 - Authenticated (Admin+) Local File Inclusion

7.2

CVE ID Unknown

Jul 12, 2021

Researchers:

UpdraftPlus WordPress Backup Plugin < 1.6.59 - Stored Cross-Site Scripting

4.8

CVE-2021-24423

May 9, 2021

Researcher: Vladislav Pokrovsky (ΞX.MI)

UpdraftPlus <= 1.9.63 and UpdraftPlus (paid) <= 2.9.63 - Cross-Site Scripting

6.1

CVE-2015-9360

Sep 22, 2020

Researchers:

UpdraftPlus <= 1.13.4 - Stored Cross-Site Scripting

5.4

CVE-2017-18593

Aug 8, 2017

Researchers:

UpdraftPlus WordPress Backup <= 1.9.6.3 - Cross-Site Scripting

6.1

CVE ID Unknown

Apr 20, 2015

Researchers:

UpdraftPlus WordPress Backup Plugin <= 1.9.50 - Nonce Leak to Authorization Bypass

9.9

CVE ID Unknown

Feb 3, 2015

Researcher: Marc-Alexandre Montpas

Title	CVE ID	CVSS	Researchers	Date
UpdraftPlus <= 1.23.10 - Cross-Site Request Forgery to Google Drive Storage Update	CVE-2023-5982	5.4	Nicolas Decayeux	November 7, 2023
UpdraftPlus <= 1.23.3 - Cross-Site Request Forgery to Cross-Site Scripting via action_authenticate_storage	CVE-2023-32960	6.1	Rafie Muhammad	May 18, 2023
UpdraftPlus 1.22.14 to 1.23.2 and UpdraftPlus (Premium) 2.22.14 to 2.23.2 - Privilege Escalation via updraft_central_ajax_handler		8.8		March 16, 2023
Updraft Plus <= 1.22.24 - Information Disclosure via updraft_ajaxrestore		5.3		March 8, 2023
UpdraftPlus WordPress Backup Plugin < 1.22.9 Reflected Cross-Site Scripting	CVE-2022-0864	6.1	Taurus Omar	April 7, 2022
UpdraftPlus WordPress Backup Plugin < 1.22.3 - Sensitive Information Disclosure	CVE-2022-0633	6.5	Marc-Alexandre Montpas	February 17, 2022
UpdraftPlus WordPress Backup Plugin <= 1.16.68 - Reflected Cross-Site Scripting via updraft_restore	CVE-2021-25089	6.1	ZhongFu Su	December 28, 2021
UpdraftPlus WordPress Backup Plugin <= 1.16.65 - Reflected Cross-Site Scripting	CVE-2021-25022	6.1	Krzysztof Zając	December 6, 2021
UpdraftPlus < 1.16.59 - Authenticated (Admin+) Local File Inclusion		7.2		July 12, 2021
UpdraftPlus WordPress Backup Plugin < 1.6.59 - Stored Cross-Site Scripting	CVE-2021-24423	4.8	Vladislav Pokrovsky (ΞX.MI)	May 9, 2021
UpdraftPlus <= 1.9.63 and UpdraftPlus (paid) <= 2.9.63 - Cross-Site Scripting	CVE-2015-9360	6.1		September 22, 2020
UpdraftPlus <= 1.13.4 - Stored Cross-Site Scripting	CVE-2017-18593	5.4		August 8, 2017
UpdraftPlus WordPress Backup <= 1.9.6.3 - Cross-Site Scripting		6.1		April 20, 2015
UpdraftPlus WordPress Backup Plugin <= 1.9.50 - Nonce Leak to Authorization Bypass		9.9	Marc-Alexandre Montpas	February 3, 2015

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation