UpdraftPlus: WP Backup & Migration Plugin

Wordfence Intelligence   >   Vulnerability Database   >   WordPress Plugins   >   UpdraftPlus: WP Backup & Migration Plugin

Information

Software Type Plugin
Software Slug updraftplus (view on wordpress.org)
Software Status Active
Software Author davidanderson
Software Website updraftplus.com
Software Downloads 121,332,380
Software Active Installs 3,000,000
Software Record Last Updated July 26, 2024

14 Vulnerabilities

UpdraftPlus WordPress Backup Plugin <= 1.9.50 - Nonce Leak to Authorization Bypass
9.9
CVE ID Unknown
Feb 3, 2015
Researcher: Marc-Alexandre Montpas
UpdraftPlus 1.22.14 to 1.23.2 and UpdraftPlus (Premium) 2.22.14 to 2.23.2 - Privilege Escalation via updraft_central_ajax_handler
8.8
CVE ID Unknown
Mar 16, 2023
Researchers:
UpdraftPlus < 1.16.59 - Authenticated (Admin+) Local File Inclusion
7.2
CVE ID Unknown
Jul 12, 2021
Researchers:
UpdraftPlus WordPress Backup Plugin < 1.22.3 - Sensitive Information Disclosure
6.5
CVE-2022-0633
Feb 17, 2022
Researcher: Marc-Alexandre Montpas
UpdraftPlus <= 1.23.3 - Cross-Site Request Forgery to Cross-Site Scripting via action_authenticate_storage
6.1
CVE-2023-32960
May 18, 2023
Researcher: Rafie Muhammad
UpdraftPlus WordPress Backup Plugin < 1.22.9 Reflected Cross-Site Scripting
6.1
CVE-2022-0864
Apr 7, 2022
Researcher: Taurus Omar
UpdraftPlus WordPress Backup Plugin <= 1.16.68 - Reflected Cross-Site Scripting via updraft_restore
6.1
CVE-2021-25089
Dec 28, 2021
Researcher: ZhongFu Su
UpdraftPlus WordPress Backup Plugin <= 1.16.65 - Reflected Cross-Site Scripting
6.1
CVE-2021-25022
Dec 6, 2021
Researcher: Krzysztof Zając
UpdraftPlus <= 1.9.63 and UpdraftPlus (paid) <= 2.9.63 - Cross-Site Scripting
6.1
CVE-2015-9360
Sep 22, 2020
Researchers:
UpdraftPlus WordPress Backup <= 1.9.6.3 - Cross-Site Scripting
6.1
CVE ID Unknown
Apr 20, 2015
Researchers:
UpdraftPlus <= 1.23.10 - Cross-Site Request Forgery to Google Drive Storage Update
5.4
CVE-2023-5982
Nov 7, 2023
Researcher: Nicolas Decayeux
UpdraftPlus <= 1.13.4 - Stored Cross-Site Scripting
5.4
CVE-2017-18593
Aug 8, 2017
Researchers:
Updraft Plus <= 1.22.24 - Information Disclosure via updraft_ajaxrestore
5.3
CVE ID Unknown
Mar 8, 2023
Researchers:
UpdraftPlus WordPress Backup Plugin < 1.6.59 - Stored Cross-Site Scripting
4.8
CVE-2021-24423
May 9, 2021
Researcher: RE-ALTER
Title Status CVE ID CVSS Researchers Date
UpdraftPlus WordPress Backup Plugin <= 1.9.50 - Nonce Leak to Authorization Bypass Patched 9.9 Marc-Alexandre Montpas February 3, 2015
UpdraftPlus 1.22.14 to 1.23.2 and UpdraftPlus (Premium) 2.22.14 to 2.23.2 - Privilege Escalation via updraft_central_ajax_handler Patched 8.8 March 16, 2023
UpdraftPlus < 1.16.59 - Authenticated (Admin+) Local File Inclusion Patched 7.2 July 12, 2021
UpdraftPlus WordPress Backup Plugin < 1.22.3 - Sensitive Information Disclosure Patched CVE-2022-0633 6.5 Marc-Alexandre Montpas February 17, 2022
UpdraftPlus <= 1.23.3 - Cross-Site Request Forgery to Cross-Site Scripting via action_authenticate_storage Patched CVE-2023-32960 6.1 Rafie Muhammad May 18, 2023
UpdraftPlus WordPress Backup Plugin < 1.22.9 Reflected Cross-Site Scripting Patched CVE-2022-0864 6.1 Taurus Omar April 7, 2022
UpdraftPlus WordPress Backup Plugin <= 1.16.68 - Reflected Cross-Site Scripting via updraft_restore Patched CVE-2021-25089 6.1 ZhongFu Su December 28, 2021
UpdraftPlus WordPress Backup Plugin <= 1.16.65 - Reflected Cross-Site Scripting Patched CVE-2021-25022 6.1 Krzysztof Zając December 6, 2021
UpdraftPlus <= 1.9.63 and UpdraftPlus (paid) <= 2.9.63 - Cross-Site Scripting Patched CVE-2015-9360 6.1 September 22, 2020
UpdraftPlus WordPress Backup <= 1.9.6.3 - Cross-Site Scripting Patched 6.1 April 20, 2015
UpdraftPlus <= 1.23.10 - Cross-Site Request Forgery to Google Drive Storage Update Patched CVE-2023-5982 5.4 Nicolas Decayeux November 7, 2023
UpdraftPlus <= 1.13.4 - Stored Cross-Site Scripting Patched CVE-2017-18593 5.4 August 8, 2017
Updraft Plus <= 1.22.24 - Information Disclosure via updraft_ajaxrestore Patched 5.3 March 8, 2023
UpdraftPlus WordPress Backup Plugin < 1.6.59 - Stored Cross-Site Scripting Patched CVE-2021-24423 4.8 RE-ALTER May 9, 2021

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation