UpdraftPlus 1.23.3 / 2.23.3 Release
Short version: A security risk identified in UpdraftPlus has been resolved in 1.23.3 (free version) / 2.23.3 (paid versions); you should update to the latest version straight away, and then all will be well.
Who is vulnerable?
Section titled Who is vulnerable?The great majority of sites are not vulnerable (but you should update anyway). If your site has untrusted non-admin users who can sign in to your WordPress back-end (i.e. the ‘wp-admin’ dashboard) and you are using an UpdraftPlus version from 1.22.14 to 1.23.2 (free) or 2.22.14 to 2.23.2 (paid) then given sufficient, advanced technical skills, these users have the capability to gain the powers of admins (or on WordPress multisite installs, super-admins). Updating will immediately close this loophole.
If untrusted people can sign up but cannot reach the WordPress back-end dashboard (i.e. at /wp-admin), then you are also not vulnerable (e.g. if you are using WooCommerce, customers in your shop get a WordPress account, but WooCommerce does not allow them to visit the back-end dashboard).
You are not vulnerable to this problem if your version of UpdraftPlus is not in the above range – but we recommend you update as we only support current plugin versions.
Experience with security issues (with which I have worked for over 20 years in different contexts) shows that even thorough analysis can overlook something. So please, update UpdraftPlus on your website.
How the problem was discovered:
Section titled How the problem was discovered:First credit belongs to pluginvulnerabilities.com, who notified us of a missing permissions check in our code. At this stage it was known only to be a harmless omission. We then investigated internally if there were any pathways for this missing check to be leveraged to perform further unauthorised operations, and found that this was in fact the case in the scenarios described above.
When and how the problem was introduced:
Section titled When and how the problem was introduced:The issue was introduced in a release of UpdraftPlus in the second half of 2022, as a result of moving existing code around in order to prepare the way for future improvements in that code. This resulted in code that previously had not been reachable without the appropriate permissions check being accessible without it. All our code changes goes through multiple review before being launched, but in this case, there was a subtlety involved in moving around existing code that led us to overlook the implications of the move. We are reviewing how to not allow this to happen in future.
Is the problem being exploited in the wild?
Section titled Is the problem being exploited in the wild?No, not to our knowledge; we discovered the ultimate possibility internally based on a tip-off from a friendly security researcher. You should, of course, still update immediately.
Can you give me technical details of the exploit?
Section titled Can you give me technical details of the exploit?The exploit requires some work to work out and implement. At this stage it is best that we do not help any would-be attackers with that process.
I am using a paid version of UpdraftPlus, and my licence has expired, or I am vulnerable and do not want to update (any version) – what can I do?
Section titled I am using a paid version of UpdraftPlus, and my licence has expired, or I am vulnerable and do not want to update (any version) – what can I do?Any one of these will protect you:
- Install and activate the “Hotfix” plugin from this page.
- Or, delete any non-admin users whom you do not trust
- Or, remove their ability to visit the WordPress dashboard using a free plugin.
- Or, de-activate UpdraftPlus.
- Or, de-install the premium version of UpdraftPlus and install the free version of UpdraftPlus instead.
How come my site was already automatically updated to this version?
Section titled How come my site was already automatically updated to this version?WordPress and UpdraftPlus both show you a setting allowing you to opt-in to automatic updates when a new plugin version is released. If you turned this on, then this likely performed the update.
Web hosting companies also have the ability to automatically update any plugin on your website, so this is another possibility.
By default, the plugins team at wordpress.org has the ability to automatically push updates to all users of wordpress.org plugins (i.e. free plugins in their directory) if they deem it a good idea. They have done so with this update, and so many wordpress.org users will have received the update already via this mechanism. If you don’t want them to be able to do this, then they have documented how to disable that here.
Once more: we are sorry, and are committed to working hard to prevent this happening again. Thank you for being a user of UpdraftPlus.
About the author

Dee Nutbourne
Dee is the Systems Operations Lead at Updraft WP Software. She’s worked in tech and with Updraft specifically, for 11 years. She was a developer for 8 years and has worked on plugins, themes and site management. Dee now manages our internal systems. She also helps with customer support and contributes to documentation, FAQs and guides.
Categories
UpdraftPlus
Get all our premium features. Direct site-to-site migration, incremental backups, back up automatically before updates and a whole lot more.
From just $70 for the year.
More stories
-
Three things to do this World Backup Day
This World Backup Day, take the time to ensure your website is protected. From automating backups to connecting to remote storage, these three steps will keep your data safe. Plus, enjoy a 10% discount on UpdraftPlus Premium for a limited time!
-
Same team, different name. Welcome to TeamUpdraft (for affiliates)
Attention affiliates! TeamUpdraft is here, combining UpdraftPlus, WP-Optimize, and AIOS. Explore new ways to earn with our unified brand.
-
Same team, different name. Welcome to TeamUpdraft
UpdraftPlus, WP-Optimize & AIOS are now under TeamUpdraft! Find out what’s changed, how to log in, and where to get support.
-
WP-Optimize release v4.0.0
WP-Optimize v4.0.0 is here! This update introduces JavaScript execution delay, minimum requirements changes, and performance improvements.