Updated WordPress websites running BackupBuddy are being urged to update the plugin following reports of active exploitation of a high-severity arbitrary file download/read vulnerability.
There are around 140,000 active installations of BackupBuddy, which backups WordPress sites.
Wordfence, a WordPress security firm, has blocked over 4.9 million exploit attempts related to the flaw since the abuse was first detected on August 26.
As a result of the vulnerability – tracked as CVE-2022-31474 with a CVSS score of 7.5 – unauthenticated attackers can download sensitive files from vulnerable sites without authentication.
Most observed attacks attempted to read /etc/password, /wp-config.php, .my.cnf, or .access hash files, which could be leveraged to compromise victims further, said Wordfence.
The vulnerability affected versions between 8.5.8.0 and 8.7.4.1 and was patched in version 8.7.5.
IThemes informed the Daily Swig that the bug was fixed on September 2, not September 6, as Wordfence (and therefore this article too) initially stated, within hours of being “notified of suspicious activity related to a BackupBuddy installation.”
In addition, the security update is available to all vulnerable versions of BackupBuddy (8.5.8 to 8.7.4.1) regardless of license status, which means none of our users will continue to run vulnerable versions.
To detect if their site has been attacked, customers should follow the steps outlined in the disclosure post. Also, we are here to help if you need help or assistance from the iThemes Help Desk.”
The Local Root Cause
Unauthenticated attackers could download any file stored on the server due to an insecure implementation of the mechanism used to download locally stored files.
“The plugin registers an admin_init hook for the function intended to download local backup files, which does not perform capability checks or validate nonces,” according to a Wordfence blog post.
Thus, unauthenticated users could call the function using any administrative page, including those without authentication (admin-post.php). An arbitrary file can be supplied and downloaded because the backup path is invalid.”
When reviewing access logs, administrators can examine the ‘local-download’ and ‘local-destination-id’ parameter values to look for signs of exploitation, Wordfence said.
The site may have been targeted for exploitation due to the presence of these parameters and a full path to a file or the company of ../../ next to a file. Also, this can suggest that the BackupBuddy plugin was likely the source of the compromise if the site is compromised.”
According to iThemes, “This incident, like many others experienced by other vendors, illustrates the increasing security awareness among WordPress users.” a much more secure platform thanks to the commitment of vendors, users, and security researchers to make security easier for everyone, and iThemes is proud to be an integral part of that.”