Wordfence analysts have discovered that a fresh 0-day vulnerability in the popular WordPress plugin, BackupBuddy, which has been installed about 140,000 times, is under active attack. Since August 26, 2022, there have been about 5,000,000 hack attempts.
The BackupBuddy plugin allows users to backup their entire WordPress installation right from the dashboard, including theme files, pages, posts, widgets, users and media files and so on.
Let me remind you that we also talked about Ukraine Was Hit by DDoS Attacks from Hacked WordPress Sites, and also that About 30% of critical vulnerabilities in WordPress plugins remain unpatched.
The 0-day vulnerability has been identified as CVE-2022-31474 (CVSS 7.5) and affects BackupBuddy versions 8.5.8.0 through 8.7.4.1. The problem was fixed in early September, with the release of version 8.7.5.
The researchers explain that the bug allows unauthorized parties to download arbitrary files from the vulnerable site that may contain sensitive information. It is known that the problem is related to the Local Directory Copy function, which is designed to store a local copy of backups.
According to Wordfence, the attacks on CVE-2022-31474 began on August 26, 2022, and since that date, nearly five million hack attempts have been recorded. Most hackers tried to read the following files:
- /etc/passwd
- /wp-config.php
- .my.cnf
- .accesshash
BackupBuddy users are now strongly advised to update the plugin to the latest version. If users believe that they may have been compromised, it is recommended to immediately reset the database password, change the WordPress salts and API keys stored in wp-config.php.
