Millions of WordPress sites were forced to install urgent and mandatory security updates due to a vulnerability in a very popular plugin called UpdraftPlus, which allows regular users to back up websites.

The UpdraftPlus plugin provides site owners with the ability to save a backup of their website databases, but it was observed that this feature was not only available to site owners, but it is accessible to anyone who has a membership on the sites that support it – meaning that if you are registered on a site that contains this plugin, you can back up the entire site to your device.

A security researcher at Jetpack discovered this vulnerability during a review of the plugin, as Jetpack provides protection for WordPress sites and security testing for plugins so that they do not cause breaches. During the plugin review, the researcher found that any registered user on the site can back up the site and download its entire database.

The researcher then informed the UpdraftPlus developers, who in turn sent mandatory updates to the sites with the plugin installed, numbering more than 3 million sites.