H3-2025-0051

UpdraftPlus Plugin PEM Key Exposure

Description

This weakness occurs because the UpdraftPlus plugin stores the contents of PEM private keys, which are used for authenticating with remote storage providers, in an unencrypted format. Since the plugin requires the key to be stored without a passphrase, an attacker can immediately use the exposed key to compromise the remote backup storage location.

Impact

An attacker who retrieves a .pem file from an exposed directory can potentially gain access to hosted backup stores.

References

• UpdraftPlus: WP Backup & Migration Plugin
• CWE-552: Files or Directories Accessible to External Parties
• OWASP Misconfiguration Risks