UpdraftPlus < 1.22.9 - Cross-Site Scripting

The plugin does not sanitise and escape the updraftinterval parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting XSS vulnerability. id: CVE-2022-0864 info: name: UpdraftPlus 1.22.9 - Cross-Site Scripting author: DhiyaneshDk severity: medium description...

VulnCheck KEV: CVE-2022-0633

The UpdraftPlus WordPress plugin Free before 1.22.3 and Premium before 2.22.3 do not properly validate a user has the required privileges to access a backup's nonce identifier, which may allow any users with an account on the site such as subscriber to download the most recent site & database...

PT-2026-6629

Your WordPress backup plugin just leaked your entire database. 💀 CVE-2026-11200 is live. If you're using UpdraftPlus or similar, check your versions NOW. This is why we moved everything to infrastructure-level JetBackup. Full technical breakdown on why your "safety net" is actually a trap:...

CVE-2022-0633

The UpdraftPlus WordPress plugin Free before 1.22.3 and Premium before 2.22.3 do not properly validate a user has the required privileges to access a backup's nonce identifier, which may allow any users with an account on the site such as subscriber to download the most recent site & database...

CVE-2017-18593

The updraftplus plugin before 1.13.5 for WordPress has XSS in rare cases where an attacker controls a string logged to a log file...

EUVD-2017-9706

Malware in sbrugna...

EUVD-2021-12001

Malware in sbrugna...

EUVD-2021-11335

Malware in sbrugna...

EUVD-2015-9200

Malware in sbrugna...

EUVD-2023-37181

Malicious code in bioql PyPI...

EUVD-2025-1552

Malicious code in bioql PyPI...

EUVD-2022-15730

Malicious code in bioql PyPI...

EUVD-2023-27727

Malicious code in bioql PyPI...

EUVD-2024-33351

Malicious code in bioql PyPI...

EUVD-2022-15906

Malicious code in bioql PyPI...

EUVD-2023-58249

Malicious code in bioql PyPI...

CVE-2025-0215

The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the showdata and initiaterestore parameters in all versions up to, and including, 1.24.12 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2023-32960

Cross-Site Request Forgery CSRF vulnerability in UpdraftPlus.Com, DavidAnderson UpdraftPlus WordPress Backup Plugin = 1.23.3 versions leads to sitewide Cross-Site Scripting XSS...

CVE-2023-23640

Missing Authorization vulnerability in MainWP MainWP UpdraftPlus Extension.This issue affects MainWP UpdraftPlus Extension: from n/a through 4.0.6...

CVE-2023-5982

The UpdraftPlus: WordPress Backup & Migration Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.23.10. This is due to a lack of nonce validation and insufficient validation of the instanceid on the 'updraftmethod-googledrive-auth' acti...