Headline
CVE-2022-31474: WordPress Vulnerability Report, Special Edition – September 6, 2022: BackupBuddy
Directory Traversal vulnerability in iThemes BackupBuddy plugin 8.5.8.0 - 8.7.4.1 versions.
We recently discovered a security vulnerability in our BackupBuddy plugin. The vulnerability could allow a breach of your WordPress site, so we are asking all customers to confirm your sites are running version 8.7.5 or higher of the BackupBuddy plugin.
BackupBuddy
Plugin
BackupBuddy
Vulnerability
Directory Traversal Vulnerability
Patched in Version
8.7.5
Severity Score
High
Who This Vulnerability Impacts
This vulnerability only impacts sites running BackupBuddy versions 8.5.8.0 through 8.7.4.1.
We have indications that this vulnerability is being actively exploited in the wild. We were notified of suspicious activity related to a BackupBuddy installation on September 2nd, 2022. The earliest exploits we have discovered appear to have started on August 27th, 2022.
- Once we identified the exploit, we released a patch on September 2, 2022, to resolve the exploit in BackupBuddy version 8.7.5.
- We have made this security update available to all vulnerable BackupBuddy versions (8.5.8 – 8.7.4.1), regardless of your current BackupBuddy licensing status, so no one continues to run a vulnerable version of the BackupBuddy plugin.
- We also pushed auto-updates for all iThemes Sync users who have BackupBuddy installed.
What Information Can Hackers Get Access To?
This vulnerability could allow an attacker to view the contents of any file on your server that can be read by your WordPress installation. This could include the WordPress wp-config.php file and, depending on your server setup, sensitive files like /etc/passwd.
Indicators of Compromise
To detect if your site was attacked, look for the following indicators of compromise. Search your server’s access logs for any text that contains local-destination-id and /etc/passwd or wp-config.php with an HTTP 2xx Response. (If you need help with this, please reach out to our support team by creating a support ticket on the iThemes Help Desk.)
What You Should Do: Recommended Next Steps****1. Update BackupBuddy to version 8.7.5 immediately.
Please update to BackupBuddy 8.7.5. immediately to fix this exploit. Even if you aren’t running one of the vulnerable versions of BackupBuddy, we still recommend updating to BackupBuddy 8.7.5 as a best practice for running the latest versions of all your plugins and themes.
Running BackupBuddy on multiple WordPress sites? Use iThemes Sync to quickly update all your sites to BackupBuddy 8.7.5.
2. Follow the steps in the previous section to search for a compromise.
If you have determined that your site may have been compromised, we recommend performing the following steps.
- Reset your database password. You may have to reach out to your hosting provider to help you with this.
- Change your WordPress salts. iThemes Security can do this for you automatically via Tools > Change WordPress Salts. You can update them manually following our guide on how to change your WordPress salts and keys.
- Rotate other secrets in wp-config.php. You may have stored API keys for services like Amazon S3 in your wp-config.php file. If so, these should be reset and updated.
If your server has an exposed phpMyAdmin installation, or your WordPress server connects to a publicly accessible database server, we recommend restoring to a backup from a date prior to the earliest logged access attempt. If this isn’t possible, engage a Hack Repair service to help you manually clean your WordPress website. At a minimum, you should search for and remove any suspicious administrator users on your website and reset the passwords for all other administrator users.
If you manage your own server
- Consider rotating SSH passwords for all users. An attacker could brute force the hashed password in the file and possibly continue to gain further unauthorized access to your server.
- Consider updating your web user’s SSH keys. An attacker could read the private SSH key file and the associated known hosts that the web user might have accessed previously.
Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. Please share this post with your friends to help get the word out and make WordPress safer for everyone!
Questions?
Our support team is standing by if you have questions or need help. Please open a ticket through the iThemes Help Desk.
Related news
Categories: News Tags: BackupBuddy Tags: WordPress Tags: vulnerability Tags: exploit Tags: hack Tags: compromise Tags: update We take a look at a vulnerability in popular WordPress plugin BackupBuddy, and the steps you need to take to fix it. (Read more...) The post BackupBuddy WordPress plugin vulnerable to exploitation, update now! appeared first on Malwarebytes Labs.
A zero-day flaw in a WordPress plugin called BackupBuddy is being actively exploited, WordPress security company Wordfence has disclosed. "This vulnerability makes it possible for unauthenticated users to download arbitrary files from the affected site which can include sensitive information," it said. BackupBuddy allows users to back up their entire WordPress installation from within the
Site backup plugin developer issues patch following reports of millions of exploit attempts
WordPress BackupBuddy plugin versions 8.5.8.0 through 8.7.4.1 suffer from an arbitrary file read and download vulnerability.