The top listing in the changelog for the latest version of the 3+ million install WordPress plugin UpdraftPlus is about a security fix in the new version:

SECURITY: Fixed a missing nonce combined with a URL sanitisation failure, which could lead to a targetted XSS opportunity (if an attacker persuades a logged-in administrator to both re-authorise their connection to a remote storage (e.g. Dropbox) and then to follow a link personally crafted for their site before re-authorising whilst logged in, he can then store a fixed JavaScript payload in the WP admin area (they would need a further route to use that ability to cause any damage). Because of the need for the administrator to co-operate in multiple steps, this attack is very unlikely (but you should of course still update).

It really isn’t a great look that the developer of one of the most popular WordPress plugins, All-In-One Security (AIOS) is again having to address a failure to have basic security in another of their plugins. We do mean again, as twice in late 2021, we found they were re-introducing a reflected cross-sites scripting (XSS) vulnerability when they were supposed to be fixing a vulnerability. Then in March we stumbled into a more serious vulnerability after noticing a failure to do a capabilities check while looking into another security fix being made.

The basic security failure here was a failure to check for a nonce, which prevents cross-site request forgery (CSRF). That occurred in the function action_authenticate_storage() in the file /methods/backup-module.php. Here was that function in the previous version:

661
662
663
664
665

public function action_authenticate_storage() {
	if (isset($_GET['updraftplus_'.$this->get_id().'auth']) && 'doit' == $_GET['updraftplus_'.$this->get_id().'auth'] && !empty($_GET['updraftplus_instance'])) {
		$this->authenticate_storage((string) $_GET['updraftplus_instance']);
	}
}

Here that in the new version with the nonce check added:

664
665
666
667
668

public function action_authenticate_storage() {
	if (isset($_GET['updraftplus_'.$this->get_id().'auth']) && 'doit' == $_GET['updraftplus_'.$this->get_id().'auth'] && !empty($_GET['updraftplus_instance']) && preg_match('/^[-A-Z0-9]+$/i', $_GET['updraftplus_instance']) && isset($_GET['nonce']) && wp_verify_nonce($_GET['nonce'], 'storage_auth_nonce')) {
		$this->authenticate_storage((string) $_GET['updraftplus_instance']);
	}
}

That function is connected with the authentication of remote storage through Dropbox and Google Drive. Without the nonce check, an attacker could cause a logged in Administrator to take that action without them intending it.

We found several additional places in the code where it looks like CSRF protection would probably be appropriate, but nothing that looks like a vulnerability due to a lack of that.