Hire a Hacker Online – Hacker for rent | Hire a hacker

140k BackupBuddy installations are on alert over file-read exploits in WordPress

140k BackupBuddy installations are on alert over file-read exploits in WordPress

Updated WordPress websites running BackupBuddy are being urged to update the plugin following reports of active exploitation of a high-severity arbitrary file download/read vulnerability.

There are around 140,000 active installations of BackupBuddy, which backups WordPress sites.

Wordfence, a WordPress security firm, has blocked over 4.9 million exploit attempts related to the flaw since the abuse was first detected on August 26.

As a result of the vulnerability – tracked as CVE-2022-31474 with a CVSS score of 7.5 – unauthenticated attackers can download sensitive files from vulnerable sites without authentication.

Most observed attacks attempted to read /etc/password, /wp-config.php, .my.cnf, or .access hash files, which could be leveraged to compromise victims further, said Wordfence.

The vulnerability affected versions between and and was patched in version 8.7.5. 

IThemes informed the Daily Swig that the bug was fixed on September 2, not September 6, as Wordfence (and therefore this article too) initially stated, within hours of being “notified of suspicious activity related to a BackupBuddy installation.”

In addition, the security update is available to all vulnerable versions of BackupBuddy (8.5.8 to regardless of license status, which means none of our users will continue to run vulnerable versions.

To detect if their site has been attacked, customers should follow the steps outlined in the disclosure post. Also, we are here to help if you need help or assistance from the iThemes Help Desk.”

The Local Root Cause

Unauthenticated attackers could download any file stored on the server due to an insecure implementation of the mechanism used to download locally stored files.

“The plugin registers an admin_init hook for the function intended to download local backup files, which does not perform capability checks or validate nonces,” according to a Wordfence blog post.

Thus, unauthenticated users could call the function using any administrative page, including those without authentication (admin-post.php). An arbitrary file can be supplied and downloaded because the backup path is invalid.”

When reviewing access logs, administrators can examine the ‘local-download’ and ‘local-destination-id’ parameter values to look for signs of exploitation, Wordfence said.

The site may have been targeted for exploitation due to the presence of these parameters and a full path to a file or the company of ../../ next to a file. Also, this can suggest that the BackupBuddy plugin was likely the source of the compromise if the site is compromised.”

According to iThemes, “This incident, like many others experienced by other vendors, illustrates the increasing security awareness among WordPress users.” a much more secure platform thanks to the commitment of vendors, users, and security researchers to make security easier for everyone, and iThemes is proud to be an integral part of that.”

Share This Post


You May Also Like

Picture of Robert Lemmons
Robert Lemmons
Robert Lemmons is an IT professional who has spent his last few years in the cybersecurity field. He enjoys reading science fiction novels, especially by Isaac Asimov, and recently took up the task of writing a science fiction novel of his own.

Banner Ads


Advertisement Form

Top Spy App Review

About Us

About Us

Do you want to hire a hacker? Hireahackeronline.co is the internet's number 1 Hacker for Hire information center. You will get all the right information you need to guide you in making the right decision on how to hire a hacker. Get answers to questions like, how can I hire hacker? How can I find a hacker? And all you need to know about hiring a hacking service.

Get in Touch with Us

Don’t Miss Our News!

Subscribe to Hireahackeronline Newsletter and Get All Topical Information