Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

WordPress warning: 140k BackupBuddy installations on alert over file-read exploitation

UPDATED WordPress websites running BackupBuddy have been urged to update the plugin amid reports of active exploitation of a high severity arbitrary file download/read vulnerability.

BackupBuddy, which is used to backup WordPress sites, and has around 140,000 active installations.

WordPress security firm Wordfence has revealed that its firewall has blocked more than 4.9 million exploit attempts related to the flaw since abuse was first detected on August 26.

The issue – tracked as CVE-2022-31474 with a CVSS score of 7.5 – enables unauthenticated attackers to download sensitive files from vulnerable sites.

A majority of observed attacks apparently attempted to read /etc/passwd, /wp-config.php, .my.cnf, or .accesshash files, which could be leveraged to further compromise victims, said Wordfence.

The vulnerability affects versions between 8.5.8.0 and 8.7.4.1, and was patched in version 8.7.5. 

iThemes, the plugin developer, told The Daily Swig that the bug was patched on September 2, not on September 6 as Wordfence (and therefore this article too) initially stated, within hours of being “notified of suspicious activity related to a BackupBuddy installation”.

It continued: “We have made this security update available to all vulnerable BackupBuddy versions (8.5.8 – 8.7.4.1), regardless of licensing status, so no one continues to run a vulnerable version of the BackupBuddy plugin.

“We recommend that customers follow the steps outlined in the disclosure post to detect if their site was attacked. Our support team is standing by to help if anyone needs help or assistance from the iThemes Help Desk.”

Local root cause

The vulnerability arose from an insecure implementation of the mechanism used to download locally stored files, meaning unauthenticated attackers could download any file stored on the server.

“More specifically the plugin registers an admin_init hook for the function intended to download local back-up files and the function itself did not have any capability checks nor any nonce validation,” according to a Wordfence blog post published on September 6.

“This means that the function could be triggered via any administrative page, including those that can be called without authentication (admin-post.php), making it possible for unauthenticated users to call the function. The back-up path is not validated and therefore an arbitrary file could be supplied and subsequently downloaded.”

Sysadmins can find signs of exploitation by “checking for the ‘local-download’ and/or the ‘local-destination-id’ parameter value when reviewing requests in your access logs,” said Wordfence.

“Presence of these parameters along with a full path to a file or the presence of ../../ to a file indicates the site may have been targeted for exploitation by this vulnerability. If the site is compromised, this can suggest that the BackupBuddy plugin was likely the source of compromise.”

iThemes concluded: “This incident, like many others experienced by other vendors in the past, underscores how security-aware WordPress users have become. WordPress as a whole has become a much more secure platform thanks to the commitment of vendors, users, and security researchers to make security easier for everyone, and iThemes is proud to be an integral part of that.”

Advertisement. Scroll to continue reading.

This article was updated on September 8 with comment from iThemes

Source: https://portswigger.net/daily-swig/wordpress-warning-140k-backupbuddy-installations-on-alert-over-file-read-exploitation

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Cyber Security

The Environmental Protection Agency cited a lack of resources and the sheer volume of critical vulnerabilities as the reasons for its inability to patch...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO