.png)
BOOK THIS SPACE FOR AD
ARTICLE ADAdam Bannister 08 September 2022 at 13:57 UTC
Site backup plugin developer issues patch following reports of millions of exploit attempts
WordPress websites running BackupBuddy have been urged to update the plugin amid reports of active exploitation of a high severity arbitrary file download/read vulnerability.
BackupBuddy, which is used to backup WordPress sites, and has around 140,000 active installations.
WordPress security firm Wordfence has revealed that its firewall has blocked more than 4.9 million exploit attempts related to the flaw since abuse was first detected on August 26.
The issue – tracked as CVE-2022-31474 with a CVSS score of 7.5 – enables unauthenticated attackers to download sensitive files from vulnerable sites.
Read more of the latest WordPress security news
A majority of observed attacks apparently attempted to read /etc/passwd, /wp-config.php, .my.cnf, or .accesshash files, which could be leveraged to further compromise victims, said Wordfence.
The vulnerability affects versions between 8.5.8.0 and 8.7.4.1, and was patched on Tuesday (September 6) in version 8.7.5. iThemes, the plugin’s developer, has made the patch available to all site owners regardless of licensing status.
Local root cause
The vulnerability arose from an insecure implementation of the mechanism used to download locally stored files, meaning unauthenticated attackers could download any file stored on the server.
“More specifically the plugin registers an hook for the function intended to download local back-up files and the function itself did not have any capability checks nor any nonce validation,” according to a Wordfence blog post published on September 6.
“This means that the function could be triggered via any administrative page, including those that can be called without authentication (), making it possible for unauthenticated users to call the function. The back-up path is not validated and therefore an arbitrary file could be supplied and subsequently downloaded.”
Sysadmins can find signs of exploitation by “checking for the ‘’ and/or the ‘’ parameter value when reviewing requests in your access logs,” said Wordfence.
“Presence of these parameters along with a full path to a file or the presence of to a file indicates the site may have been targeted for exploitation by this vulnerability. If the site is compromised, this can suggest that the BackupBuddy plugin was likely the source of compromise.”
YOU MIGHT ALSO LIKE A rough guide to launching a career in cybersecurity
Bengali (Bangladesh) · 
English (United States) ·