WordPress BackupBuddy Plugin Exploit affects 140K Sites
Users of WordPress websites running BackupBuddy(plugin to take WordPress websites backup) have been urged to update the plugin amid reports of active exploitation of a high severity arbitrary file download/read vulnerability.
WordPress security firm Wordfence has revealed that its firewall has blocked more than 4.9 million exploit attempts related to the flaw since its first detection of the flaw.
The issue tracked as CVE-2022-31474 with a CVSS score of 7.5 – enables unauthenticated attackers to download sensitive files from vulnerable sites.
Most observed attacks apparently attempted to read /etc/passwd, /wp-config.php, .my.cnf, or .accesshash files, which could be leveraged to further compromise victims, said Wordfence.
With over 140,000 active installations. The vulnerability affects versions between 126.96.36.199 and 188.8.131.52 and was patched in version 8.7.5.
The vulnerability arose from an insecure implementation of the mechanism used to download locally stored files, meaning unauthenticated attackers could download any file stored on the server.
More specifically the plugin registers an admin init hook for the function intended to download local back-up files and the function itself did not have any capability checks nor any nonce validation.Wordfence Blog Statement
Sysadmins can find signs of exploitation by “checking for the ‘local-download’ and/or the ‘local-destination-id’ parameter value when reviewing requests in your access logs,” said Wordfence.