汇总 updraftplus 相关全部产品的 CVE 与安全漏洞情报,包括 CVSS、EPSS、公开时间与漏洞情报数据。
历史漏洞主要涉及 SSRF与路径处理缺陷 等问题,部分漏洞可能导致 会话劫持,并影响 生产负载与软件部署 相关场景。
相关漏洞数据主要来源于公开漏洞披露与安全公告,可用于评估历史漏洞暴露面与修复优先级。
| CVE | 摘要 | 来源 | 最高 CVSS | EPSS % | 公开时间 | 更新时间 |
|---|---|---|---|---|---|---|
| CVE-2025-3951 | The WP-Optimize WordPress plugin before 4.2.0 does not properly escape user input when checking image compression statuses, which could allow users with the administrator role to conduct SQL Injection attacks in the context of Multi-Site WordPress configurations. | [email protected] | 4.1 | 0.19% | 2025-06-02 | 2025-06-09 |
| CVE-2024-1037 | The All-In-One Security (AIOS) – Security and Firewall plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 5.2.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | [email protected] | 6.1 | 1.12% | 2024-02-07 | 2026-04-08 |
| CVE-2023-5982 | The UpdraftPlus: WordPress Backup & Migration Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.23.10. This is due to a lack of nonce validation and insufficient validation of the instance_id on the 'updraftmethod-googledrive-auth' action used to update Google Drive remote storage location. This makes it possible for unauthenticated attackers to modify the Google Drive location that backups are sent to via a forged request granted the | [email protected] | 5.4 | 0.16% | 2023-11-07 | 2026-04-08 |
| CVE-2023-26530 | Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Paul Kehrer Updraft plugin <= 0.6.1 versions. | [email protected] | 7.1 | 0.07% | 2023-08-17 | 2024-11-21 |
| CVE-2023-1119 | The WP-Optimize WordPress plugin before 3.2.13, SrbTransLatin WordPress plugin before 2.4.1 use a third-party library that removes the escaping on some HTML characters, leading to a cross-site scripting vulnerability. | [email protected] | 6.1 | 24.22% | 2023-07-10 | 2025-01-06 |
| CVE-2023-32960 | Cross-Site Request Forgery (CSRF) vulnerability in UpdraftPlus.Com, DavidAnderson UpdraftPlus WordPress Backup Plugin <= 1.23.3 versions leads to sitewide Cross-Site Scripting (XSS). | [email protected] | 7.1 | 0.05% | 2023-06-22 | 2024-11-21 |
| CVE-2023-0157 | The All-In-One Security (AIOS) WordPress plugin before 5.1.5 does not escape the content of log files before outputting it to the plugin admin page, allowing an authorized user (admin+) to plant bogus log files containing malicious JavaScript code that will be executed in the context of any administrator visiting this page. | [email protected] | 4.8 | 25.13% | 2023-04-10 | 2025-02-11 |
| CVE-2023-0156 | The All-In-One Security (AIOS) WordPress plugin before 5.1.5 does not limit what log files to display in it's settings pages, allowing an authorized user (admin+) to view the contents of arbitrary files and list directories anywhere on the server (to which the web server has access). The plugin only displays the last 50 lines of the file. | [email protected] | 4.9 | 34.88% | 2023-04-10 | 2025-02-11 |
| CVE-2022-4346 | The All-In-One Security (AIOS) WordPress plugin before 5.1.3 leaked settings of the plugin publicly, including the used email address. | [email protected] | 5.3 | 0.25% | 2023-01-23 | 2025-04-02 |
| CVE-2022-4097 | The All-In-One Security (AIOS) WordPress plugin before 5.0.8 is susceptible to IP Spoofing attacks, which can lead to bypassed security features (like IP blocks, rate limiting, brute force protection, and more). | [email protected] | 5.3 | 0.16% | 2022-12-12 | 2025-04-14 |
| CVE-2022-0864 | The UpdraftPlus WordPress Backup Plugin WordPress plugin before 1.22.9 does not sanitise and escape the updraft_interval parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting (XSS) vulnerability. | [email protected] | 6.1 | 2.87% | 2022-04-04 | 2024-11-21 |
| CVE-2022-0633 | The UpdraftPlus WordPress plugin Free before 1.22.3 and Premium before 2.22.3 do not properly validate a user has the required privileges to access a backup's nonce identifier, which may allow any users with an account on the site (such as subscriber) to download the most recent site & database backup. | [email protected] | 6.5 | 1.40% | 2022-02-17 | 2024-11-21 |
| CVE-2021-25089 | The UpdraftPlus WordPress Backup Plugin WordPress plugin before 1.16.69 does not sanitise and escape the updraft_restore parameter before outputting it back in the Restore page, leading to a Reflected Cross-Site Scripting | [email protected] | 6.1 | 0.20% | 2022-02-01 | 2024-11-21 |
| CVE-2021-24423 | The UpdraftPlus WordPress Backup Plugin WordPress plugin before 1.6.59 does not sanitise its updraft_service settings, allowing high privilege users to set malicious JavaScript payload in it and leading to a Stored Cross-Site Scripting issue | [email protected] | 4.8 | 0.19% | 2022-01-24 | 2024-11-21 |
| CVE-2021-25022 | The UpdraftPlus WordPress Backup Plugin WordPress plugin before 1.16.66 does not sanitise and escape the backup_timestamp and job_id parameter before outputting then back in admin pages, leading to Reflected Cross-Site Scripting issues | [email protected] | 6.1 | 0.26% | 2022-01-03 | 2025-05-22 |
| CVE-2017-18593 | The updraftplus plugin before 1.13.5 for WordPress has XSS in rare cases where an attacker controls a string logged to a log file. | [email protected] | 6.1 | 0.21% | 2019-08-28 | 2024-11-21 |
| CVE-2015-9360 | The updraftplus plugin before 1.9.64 for WordPress has XSS via add_query_arg() and remove_query_arg(). | [email protected] | 6.1 | 0.44% | 2019-08-28 | 2024-11-21 |
| CVE-2017-16871 | The UpdraftPlus plugin through 1.13.12 for WordPress allows remote PHP code execution because the plupload_action function in /wp-content/plugins/updraftplus/admin.php has a race condition before deleting a file associated with the name parameter. NOTE: the vendor reports that this does not cross a privilege boundary | [email protected] | 8.1 | 1.12% | 2017-11-17 | 2026-05-13 |
| CVE-2017-16870 | The UpdraftPlus plugin through 1.13.12 for WordPress has SSRF in the updraft_ajax_handler function in /wp-content/plugins/updraftplus/admin.php via an httpget subaction. NOTE: the vendor reports that this does not cross a privilege boundary | [email protected] | 8.1 | 0.40% | 2017-11-17 | 2026-05-13 |