Vulnerability in WordPress BackupBuddy Plugin Exploited By Hackers

  • Hackers have attempted to exploit a zero–day flaw in a WordPress plugin called BackupBuddy five million times, sometimes successfully.

    The news comes from WordPress security–focused company Wordfence, which published an advisory about the flaw earlier this week.

    “This vulnerability could allow an attacker to view the contents of any file on your server that can be read by your WordPress installation,” reads the blog post.

    According to the security experts, this could include the WordPress wp–config.php file, which contains information about the website’s database, name, host, username and password, and depending on server setup, sensitive files like /etc/passwd.

    For context, the BackupBuddy plugin, currently estimated to have 140,000 active installations, allows users to back up their WordPress installation, including theme files, pages, posts, widgets, users and media files.

    “Unfortunately, the method to download these locally stored files was insecurely implemented, making it possible for unauthenticated users to download any file stored on the server,” Wordfence wrote.

    After reviewing historical data, the team determined that attackers started targeting this vulnerability on August 26, 2022. Wordfence claimed to have blocked 4,948,926 attacks targeting this vulnerability since that time.

    The vulnerability affected versions 8.5.8.0 to 8.7.4.1 of WordPress and was fully patched on September 02, 2022, in version 8.7.5.

    “Due to the fact that this is an actively exploited vulnerability, we strongly encourage you to ensure your site has been updated to the latest patched version 8.7.5, which iThemes has made available to all site owners running a vulnerable version regardless of licensing status,” the advisory said.

    “Due to this vulnerability being actively exploited, and its ease of exploitation, we are sharing minimal details about this vulnerability,” Wordfence concluded.

    The vulnerability comes months after WordPress forcibly updated over a million sites to patch a critical vulnerability affecting the Ninja Forms plugin.