New zero-day vulnerability in BackupBuddy plugin leaves WordPress users at risk

The vulnerability could allow unauthenticated users to download sensitive information and files from affected servers

By Jimmy Pezzone September 10, 2022, 9:05

New zero-day vulnerability in BackupBuddy plugin leaves WordPress users at risk

Serving tech enthusiasts for over 25 years.
TechSpot means tech analysis and advice you can trust.

Why it matters: WordPress plugin developer, iThemes, alerted users to a vulnerability related to their BackupBuddy extension earlier this week. The security hole leaves plugin users susceptible to unauthorized access by malicious actors, providing them with the opportunity to steal sensitive files and information. The flaw affects any sites running BackupBuddy 8.5.8.0 through 8.7.4.1. Users should update to version 8.7.5 to patch the hole.

According to iThemes researchers, Hackers are actively exploiting the vulnerability (CVE-2022-31474) across impacted systems using specific versions of the BackupBuddy plugin. The exploit allows attackers to view the contents of any WordPress-accessible file on the affected server. This includes those with sensitive information, including /etc/passwd, /wp-config.php, .my.cnf, and .accesshash. These files can provide unauthorized access to system user details, WordPress database settings, and even authentication permissions to the affected server as the root user.

Administrators and other users can take steps to determine if their site was compromised. Authorized users can review an impacted server's logs containing local-destination-id and /etc/passed or wp-config.php that return an HTTP 2xx response code, indicating a successful response was received.

WordPress security solution developer Wordfence identified millions of attempts to exploit the vulnerability dating back to August 26th. According to Wordfence security researchers, users and administrators should check server logs for references to the aforementioned local-destination-id folder and the local-download folder. The PSA went on to list the top IPs associated with the attempted attacks, which include:

195.178.120.89 with 1,960,065 attacks blocked
51.142.90.255 with 482,604 attacks blocked
51.142.185.212 with 366,770 attacks blocked
52.229.102.181 with 344,604 attacks blocked
20.10.168.93 with 341,309 attacks blocked
20.91.192.253 with 320,187 attacks blocked
23.100.57.101 with 303,844 attacks blocked
20.38.8.68 with 302,136 attacks blocked
20.229.10.195 with 277,545 attacks blocked
20.108.248.76 with 211,924 attacks blocked

Researchers at iTheme provide compromised BackupBuddy users with several steps designed to mitigate and prevent further unauthorized access. These steps include resetting WordPress database passwords, changing WordPress salts, updating API keys stored in the wp-config.php file, and updating SSH passwords and keys. Customers requiring additional support can submit support tickets via the iThemes Help Desk.

Image credit: Justin Morgan

3 comments 41 likes and shares

Tech Jobs: Find the next step in your career

Related Stories

Featured on TechSpot