Hackers Exploit Zero-Day in WordPress BackupBuddy Plugin in About 5 Million Attempts

A zero-day flaw in a WordPress plugin called Backup Buddy is being actively exploited, WordPress security firm Wordfence has revealed.

“This vulnerability allows unauthenticated users to download arbitrary files from the affected site that may include sensitive information,” he said. said.

BackupBuddy allows users to backup their entire WordPress installation from the dashboard, including theme files, pages, posts, widgets, users, and media files, among others.

cyber security

The plugin is estimated to have around 140,000 active installs, with the flaw (CVE-2022-31474, CVSS score: 7.5) affecting versions 8.5.8.0 to 8.7.4.1. It was fixed in version 8.7.5 released on September 2, 2022.

The problem is rooted in the feature called “Local Directory Copy” which is designed to store a local copy of backups. According to Wordfence, the vulnerability is the result of an insecure implementation, which allows an unauthenticated malicious actor to upload any arbitrary file to the server.

BackupBuddy WordPress Plugin

Additional details about the flaw have been withheld in light of active abuse in the wild and its ease of exploitation.

“This vulnerability could allow an attacker to view the contents of any file on your server that can be read by your WordPress installation,” said plugin developer iThemes. said. “This could include the WordPress wp-config.php file and, depending on your server configuration, sensitive files like /etc/passwd.”

cyber security

Wordfence noted that targeting CVE-2022-31474 began on August 26, 2022, and it blocked nearly five million attacks in the meantime. Most of the intruders attempted to read the files below –

  • /etc/passwd
  • /wp-config.php
  • .mon.cnf
  • .accesshash

BackupBuddy plugin users are encouraged to upgrade to the latest version. If users determine that they may have been compromised, it is recommended to reset the database password, change WordPress salts, and rotate API keys stored in wp-config.php.

Comments are closed.