A zero-day in a WordPress plugin known as BackupBuddy is being exploited in the wild. The plugin is used to take a backup of the entire WordPress installation within the dashboard.
About the zero-day
The flaw in the BackupBuddy plugin exists in a function named Local Directory Copy that's created to save a local copy of the backups. The zero-day flaw occurs due to insecure implementation.
- When exploited, the bug allows downloading arbitrary files from the affected site including sensitive information.
- The flaw is tracked as CVE-2022-31474 and affects versions 8.5.8.0 to 8.7.4.1.
- However, the flaw has been fixed in version 8.7.5, which was released by the vendor on September 2.
This flaw allows an attacker to view the contents of any file on the server that can be read by WordPress installation. This includes wp-config[.]php file and, based on server setup, certain sensitive files at /etc/passwd.
More details
- The abuse of the flaw started on August 26 and an IT security firm has blocked around five million attacks in the intervening time period.
- Most intrusions have tried to read the files, /etc/passwd, /wp-config[.]php, .my[.]cnf, and .accesshash.
- Additional details about the flaw are not disclosed due to active/ongoing abuse and ease of exploitation.
What to do?
BackupBuddy plugin users are suggested to upgrade to the latest version 8.7.5. Further, they should find out whether they were targeted and reset the database password. It is further recommended to rotate API keys stored in wp-config[.]php and change WordPress Salts.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/e518_shutterstock_638387587.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/218e_shutterstock_1798927972.jpg)
