PLUGIN SECURITY
Is Updraftplus safe?
Known vulnerabilities, PHP compatibility and safer alternatives for the Updraftplus WordPress plugin — checked against WP Clinic's local security database.
Plugin details
- Slug:
updraftplus - Max supported PHP (analyzed): <8.0
Known vulnerabilities
- UpdraftPlus: WP Backup & Migration Plugin [updraftplus] < 1.22.3 [CVE-2022-0633, WordPress UpdraftPlus plugin <= 1.22.1 - Arbitrary Backup Downloads vulnerability, UpdraftPlus WordPress Backup Plugin < 1.22.3 - Sensitive Information Disclosure, UpdraftPlus Free < 1.22.3 & Premium < 2.22.3 - Subscriber+ Backup Download]
- UpdraftPlus: WP Backup & Migration Plugin [updraftplus] < 1.16.69 [CVE-2021-25089, WordPress UpdraftPlus plugin <= 1.16.66 - Reflected Cross-Site Scripting (XSS) vulnerability, UpdraftPlus WordPress Backup Plugin <= 1.16.68 - Reflected Cross-Site Scripting via updraft_restore, UpdraftPlus < 1.16.69 - Reflected Cross-Site Scripting, EUVD-2021-12001]
- UpdraftPlus: WP Backup & Migration Plugin [updraftplus] < 1.6.59 [CVE-2021-24423, UpdraftPlus WordPress Backup Plugin < 1.6.59 - Stored Cross-Site Scripting, UpdraftPlus < 1.16.59 - Admin+ Stored Cross-Site Scripting]
- UpdraftPlus: WP Backup & Migration Plugin [updraftplus] < 1.16.66 [CVE-2021-25022, WordPress UpdraftPlus plugin <= 1.16.65 - Reflected Cross-Site Scripting (XSS) vulnerability, UpdraftPlus WordPress Backup Plugin <= 1.16.65 - Reflected Cross-Site Scripting, UpdraftPlus < 1.16.66 - Reflected Cross-Site Scripting]
- UpdraftPlus: WP Backup & Migration Plugin [updraftplus] < 1.9.64 [CVE-2015-9360, UpdraftPlus <= 1.9.63 and UpdraftPlus (paid) <= 2.9.63 - Cross-Site Scripting]
+ 22 more known vulnerabilities
- UpdraftPlus: WP Backup & Migration Plugin [updraftplus] < 1.13.5 [CVE-2017-18593, Updraftplus < 1.13.5 - XSS, UpdraftPlus <= 1.13.4 - Stored Cross-Site Scripting]
- UpdraftPlus: WP Backup & Migration Plugin [updraftplus] <= 1.13.12 [CVE-2017-16871]
- UpdraftPlus: WP Backup & Migration Plugin [updraftplus] <= 1.13.12 [CVE-2017-16870]
- UpdraftPlus: WP Backup & Migration Plugin [updraftplus] < 1.22.9 [CVE-2022-0864, WordPress UpdraftPlus plugin <= 1.22.8 - Reflected Cross-Site Scripting (XSS) vulnerability, UpdraftPlus WordPress Backup Plugin < 1.22.9 Reflected Cross-Site Scripting, UpdraftPlus < 1.22.9 - Reflected Cross-Site Scripting]
- UpdraftPlus: WP Backup & Migration Plugin [updraftplus] < 1.16.59 [WordPress UpdraftPlus plugin <= 1.16.58 - Local File Inclusion (LFI) vulnerability]
- UpdraftPlus: WP Backup & Migration Plugin [updraftplus] < 1.9.51 [WordPress UpdraftPlus Plugin <= 1.9.50 - Privilege Escalation]
- UpdraftPlus: WP Backup & Migration Plugin [updraftplus] < 1.9.6.4 [WordPress UpdraftPlus Backup & Restoration Plugin <= 1.9.6.3 - Cross Site Scripting]
- UpdraftPlus: WP Backup & Migration Plugin [updraftplus] < 1.16.59 [UpdraftPlus < 1.16.59 - Authenticated (Admin+) Local File Inclusion]
- UpdraftPlus: WP Backup & Migration Plugin [updraftplus] < 1.16.59 [UpdraftPlus < 1.16.59 - Admin+ Local File Inclusion]
- UpdraftPlus: WP Backup & Migration Plugin [updraftplus] < 1.9.6.4 [UpdraftPlus WordPress Backup <= 1.9.6.3 - Cross-Site Scripting]
- UpdraftPlus: WP Backup & Migration Plugin [updraftplus] < 1.9.51 [UpdraftPlus WordPress Backup Plugin <= 1.9.50 - Nonce Leak to Authorization Bypass]
- UpdraftPlus: WP Backup & Migration Plugin [updraftplus] < 1.23.1 [Updraft Plus <= 1.22.24 - Information Disclosure via updraft_ajaxrestore]
- UpdraftPlus: WP Backup & Migration Plugin [updraftplus] < 1.23.1 [WordPress UpdraftPlus Plugin <= 1.22.24 is vulnerable to Cross Site Request Forgery (CSRF)]
- UpdraftPlus: WP Backup & Migration Plugin [updraftplus] >= 1.22.14 - <= 1.23.2 [UpdraftPlus 1.22.14 to 1.23.2 and UpdraftPlus (Premium) 2.22.14 to 2.23.2 - Privilege Escalation via updraft_central_ajax_handler]
- UpdraftPlus: WP Backup & Migration Plugin [updraftplus] >= 1.22.14 - <= 1.23.2 [WordPress UpdraftPlus Plugin 1.22.14-1.23.2 is vulnerable to Broken Access Control]
- UpdraftPlus: WP Backup & Migration Plugin [updraftplus] >= 2.22.14 - <= 2.23.2 [WordPress UpdraftPlus Plugin 2.22.14-2.23.2 is vulnerable to Broken Access Control]
- UpdraftPlus: WP Backup & Migration Plugin [updraftplus] < 1.23.4 [CVE-2023-32960, WordPress UpdraftPlus Plugin <= 1.23.3 is vulnerable to Cross Site Request Forgery (CSRF), UpdraftPlus <= 1.23.3 - Cross-Site Request Forgery to Cross-Site Scripting via action_authenticate_storage, UpdraftPlus < 1.23.4 - CSRF]
- UpdraftPlus: WP Backup & Migration Plugin [updraftplus] < 1.23.1 [WordPress UpdraftPlus Plugin <= 1.22.24 is vulnerable to Sensitive Data Exposure]
- UpdraftPlus: WP Backup & Migration Plugin [updraftplus] < 1.23.11 [CVE-2023-5982, UpdraftPlus <= 1.23.10 - Cross-Site Request Forgery to Google Drive Storage Update, WordPress UpdraftPlus Plugin <= 1.23.10 is vulnerable to Cross Site Request Forgery (CSRF), UpdraftPlus: WordPress Backup & Migration < 1.23.11 - Google Drive Storage Update via CSRF]
- UpdraftPlus: WP Backup & Migration Plugin [updraftplus] < 1.24.12 [CVE-2024-10957, UpdraftPlus: WP Backup & Migration Plugin 1.23.8 - 1.24.11 - Unauthenticated PHP Object Injection, WordPress UpdraftPlus Plugin <= 1.24.11 is vulnerable to PHP Object Injection]
- UpdraftPlus: WP Backup & Migration Plugin [updraftplus] < 1.25.1 [CVE-2025-0215, UpdraftPlus - Backup/Restore <= 1.24.12 - Reflected Cross-Site Scripting, EUVD-2025-1552]
- UpdraftPlus: WP Backup & Migration Plugin [updraftplus] < 1.26.5 [CVE-2026-10795, UpdraftPlus: WP Backup & Migration Plugin <= 1.26.4 (free) < 2.26.5 (premium) - Unauthenticated Authentication Bypass via UpdraftCentral udrpc]
Vulnerabilities are matched against the exact installed version when it's known. Always keep the plugin updated to the latest release.
Safer / more established alternatives
- All-in-One WP Migration and Backup — 5000000+ active installs — max PHP <8.0
- Jetpack – WP Security, Backup, Speed, & Growth — 3000000+ active installs
- Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More — 1000000+ active installs — max PHP <8.0
- ManageWP Worker — 1000000+ active installs — max PHP <8.0
- WPvivid — Backup, Migration & Staging — 900000+ active installs — max PHP <8.0
Check your own WordPress site
Run a free passive scan now, or create a free account and install the WP Clinic plugin for a deep scan of your whole hosting account and AI-assisted repair.