WP Clinic
Log in Sign up

PLUGIN SECURITY

Is Updraftplus safe?

Known vulnerabilities, PHP compatibility and safer alternatives for the Updraftplus WordPress plugin — checked against WP Clinic's local security database.

Plugin details

  • Slug: updraftplus
  • Max supported PHP (analyzed): <8.0

Known vulnerabilities

  • UpdraftPlus: WP Backup &amp; Migration Plugin [updraftplus] < 1.22.3 [CVE-2022-0633, WordPress UpdraftPlus plugin <= 1.22.1 - Arbitrary Backup Downloads vulnerability, UpdraftPlus WordPress Backup Plugin < 1.22.3 - Sensitive Information Disclosure, UpdraftPlus Free &lt; 1.22.3 &amp; Premium &lt; 2.22.3 - Subscriber+ Backup Download]
  • UpdraftPlus: WP Backup &amp; Migration Plugin [updraftplus] < 1.16.69 [CVE-2021-25089, WordPress UpdraftPlus plugin <= 1.16.66 - Reflected Cross-Site Scripting (XSS) vulnerability, UpdraftPlus WordPress Backup Plugin <= 1.16.68 - Reflected Cross-Site Scripting via updraft_restore, UpdraftPlus &lt; 1.16.69 - Reflected Cross-Site Scripting, EUVD-2021-12001]
  • UpdraftPlus: WP Backup &amp; Migration Plugin [updraftplus] < 1.6.59 [CVE-2021-24423, UpdraftPlus WordPress Backup Plugin < 1.6.59 - Stored Cross-Site Scripting, UpdraftPlus &lt; 1.16.59 - Admin+ Stored Cross-Site Scripting]
  • UpdraftPlus: WP Backup &amp; Migration Plugin [updraftplus] < 1.16.66 [CVE-2021-25022, WordPress UpdraftPlus plugin <= 1.16.65 - Reflected Cross-Site Scripting (XSS) vulnerability, UpdraftPlus WordPress Backup Plugin <= 1.16.65 - Reflected Cross-Site Scripting, UpdraftPlus &lt; 1.16.66 - Reflected Cross-Site Scripting]
  • UpdraftPlus: WP Backup &amp; Migration Plugin [updraftplus] < 1.9.64 [CVE-2015-9360, UpdraftPlus <= 1.9.63 and UpdraftPlus (paid) <= 2.9.63 - Cross-Site Scripting]
+ 22 more known vulnerabilities
  • UpdraftPlus: WP Backup &amp; Migration Plugin [updraftplus] < 1.13.5 [CVE-2017-18593, Updraftplus &lt; 1.13.5 - XSS, UpdraftPlus <= 1.13.4 - Stored Cross-Site Scripting]
  • UpdraftPlus: WP Backup &amp; Migration Plugin [updraftplus] <= 1.13.12 [CVE-2017-16871]
  • UpdraftPlus: WP Backup &amp; Migration Plugin [updraftplus] <= 1.13.12 [CVE-2017-16870]
  • UpdraftPlus: WP Backup &amp; Migration Plugin [updraftplus] < 1.22.9 [CVE-2022-0864, WordPress UpdraftPlus plugin <= 1.22.8 - Reflected Cross-Site Scripting (XSS) vulnerability, UpdraftPlus WordPress Backup Plugin < 1.22.9 Reflected Cross-Site Scripting, UpdraftPlus &lt; 1.22.9 - Reflected Cross-Site Scripting]
  • UpdraftPlus: WP Backup &amp; Migration Plugin [updraftplus] < 1.16.59 [WordPress UpdraftPlus plugin <= 1.16.58 - Local File Inclusion (LFI) vulnerability]
  • UpdraftPlus: WP Backup &amp; Migration Plugin [updraftplus] < 1.9.51 [WordPress UpdraftPlus Plugin <= 1.9.50 - Privilege Escalation]
  • UpdraftPlus: WP Backup &amp; Migration Plugin [updraftplus] < 1.9.6.4 [WordPress UpdraftPlus Backup & Restoration Plugin <= 1.9.6.3 - Cross Site Scripting]
  • UpdraftPlus: WP Backup &amp; Migration Plugin [updraftplus] < 1.16.59 [UpdraftPlus < 1.16.59 - Authenticated (Admin+) Local File Inclusion]
  • UpdraftPlus: WP Backup &amp; Migration Plugin [updraftplus] < 1.16.59 [UpdraftPlus &lt; 1.16.59 - Admin+ Local File Inclusion]
  • UpdraftPlus: WP Backup &amp; Migration Plugin [updraftplus] < 1.9.6.4 [UpdraftPlus WordPress Backup <= 1.9.6.3 - Cross-Site Scripting]
  • UpdraftPlus: WP Backup &amp; Migration Plugin [updraftplus] < 1.9.51 [UpdraftPlus WordPress Backup Plugin <= 1.9.50 - Nonce Leak to Authorization Bypass]
  • UpdraftPlus: WP Backup &amp; Migration Plugin [updraftplus] < 1.23.1 [Updraft Plus <= 1.22.24 - Information Disclosure via updraft_ajaxrestore]
  • UpdraftPlus: WP Backup &amp; Migration Plugin [updraftplus] < 1.23.1 [WordPress UpdraftPlus Plugin <= 1.22.24 is vulnerable to Cross Site Request Forgery (CSRF)]
  • UpdraftPlus: WP Backup &amp; Migration Plugin [updraftplus] >= 1.22.14 - <= 1.23.2 [UpdraftPlus 1.22.14 to 1.23.2 and UpdraftPlus (Premium) 2.22.14 to 2.23.2 - Privilege Escalation via updraft_central_ajax_handler]
  • UpdraftPlus: WP Backup &amp; Migration Plugin [updraftplus] >= 1.22.14 - <= 1.23.2 [WordPress UpdraftPlus Plugin 1.22.14-1.23.2 is vulnerable to Broken Access Control]
  • UpdraftPlus: WP Backup &amp; Migration Plugin [updraftplus] >= 2.22.14 - <= 2.23.2 [WordPress UpdraftPlus Plugin 2.22.14-2.23.2 is vulnerable to Broken Access Control]
  • UpdraftPlus: WP Backup &amp; Migration Plugin [updraftplus] < 1.23.4 [CVE-2023-32960, WordPress UpdraftPlus Plugin <= 1.23.3 is vulnerable to Cross Site Request Forgery (CSRF), UpdraftPlus <= 1.23.3 - Cross-Site Request Forgery to Cross-Site Scripting via action_authenticate_storage, UpdraftPlus &lt; 1.23.4 - CSRF]
  • UpdraftPlus: WP Backup &amp; Migration Plugin [updraftplus] < 1.23.1 [WordPress UpdraftPlus Plugin <= 1.22.24 is vulnerable to Sensitive Data Exposure]
  • UpdraftPlus: WP Backup &amp; Migration Plugin [updraftplus] < 1.23.11 [CVE-2023-5982, UpdraftPlus <= 1.23.10 - Cross-Site Request Forgery to Google Drive Storage Update, WordPress UpdraftPlus Plugin <= 1.23.10 is vulnerable to Cross Site Request Forgery (CSRF), UpdraftPlus: WordPress Backup &amp; Migration &lt; 1.23.11 - Google Drive Storage Update via CSRF]
  • UpdraftPlus: WP Backup &amp; Migration Plugin [updraftplus] < 1.24.12 [CVE-2024-10957, UpdraftPlus: WP Backup & Migration Plugin 1.23.8 - 1.24.11 - Unauthenticated PHP Object Injection, WordPress UpdraftPlus Plugin <= 1.24.11 is vulnerable to PHP Object Injection]
  • UpdraftPlus: WP Backup &amp; Migration Plugin [updraftplus] < 1.25.1 [CVE-2025-0215, UpdraftPlus - Backup/Restore <= 1.24.12 - Reflected Cross-Site Scripting, EUVD-2025-1552]
  • UpdraftPlus: WP Backup &amp; Migration Plugin [updraftplus] < 1.26.5 [CVE-2026-10795, UpdraftPlus: WP Backup & Migration Plugin <= 1.26.4 (free) < 2.26.5 (premium) - Unauthenticated Authentication Bypass via UpdraftCentral udrpc]

Vulnerabilities are matched against the exact installed version when it's known. Always keep the plugin updated to the latest release.

Safer / more established alternatives

Check your own WordPress site

Run a free passive scan now, or create a free account and install the WP Clinic plugin for a deep scan of your whole hosting account and AI-assisted repair.