Cyber Security

Attackers Exploit Zero-Day WordPress Plug-in Vulnerability in BackupBuddy

Written by admin



Attackers are actively exploiting a important vulnerability in BackupBuddy, a WordPress plug-in that an estimated 140,000 web sites are utilizing to again up their installations.

The vulnerability permits attackers to learn and obtain arbitrary information from affected web sites, together with these containing configuration info and delicate information reminiscent of passwords that can be utilized for additional compromise.

WordPress safety vendor Wordfence reported observing assaults concentrating on the flaw starting Aug. 26, and stated it has blocked shut to five million assaults since then. The plug-in’s developer, iThemes, issued a patch for the flaw on Sept. 2, a couple of week after the assaults started. That raises the chance that no less than some WordPress websites utilizing the software program had been compromised earlier than a repair grew to become obtainable for the vulnerability.

A Listing Traversal Bug

In an announcement on its web site, iThemes described the listing traversal vulnerability as impacting web sites working BackupBuddy variations 8.5.8.0 by 8.7.4.1. It urged customers of the plug-in to right away replace to BackupBuddy model 8.75, even when they don’t seem to be at present utilizing a susceptible model of the plug-in.

“This vulnerability might permit an attacker to view the contents of any file in your server that may be learn by your WordPress set up,” the plug-in maker warned.

iThemes’ alerts supplied steerage on how web site operators can decide if their web site has been compromised and steps they’ll take to revive safety. These measures included resetting the database password, altering their WordPress salts, and rotating API keys and different secrets and techniques of their site-configuration file.

Wordfence stated it had seen attackers utilizing the flaw to attempt to retrieve “delicate information such because the /wp-config.php and /and so on/passwd file which can be utilized to additional compromise a sufferer.”

WordPress Plug-in Safety: An Endemic Drawback

The BackupBuddy flaw is only one of hundreds of flaws which were disclosed in WordPress environments — virtually all of them involving plug-ins — in recent times.

In a report earlier this 12 months, iThemes stated it recognized a complete of 1,628 disclosed WordPress vulnerabilities in 2021 — and greater than 97% of them impacted plug-ins. Practically half (47.1%) had been rated as being of excessive to important severity. And troublingly, 23.2% of susceptible plug-in had no recognized repair.

A fast scan of the Nationwide Vulnerability Database (NVD) by Darkish Studying confirmed that a number of dozen vulnerabilities impacting WordPress websites have been disclosed to date within the first week of September alone.

Susceptible plug-ins will not be the one concern for WordPress websites; malicious plug-ins are one other problem. A big-scale examine of over 400,000 web sites that researchers on the Georgia Institute of Expertise carried out uncovered a staggering 47,337 malicious plug-ins put in on 24,931 web sites, most of them nonetheless lively.

Sounil Yu, CISO at JupiterOne, says the dangers inherent in WordPress environments are like these current in any atmosphere that leverages plug-ins, integrations, and third-party purposes to increase performance.

“As with smartphones, such third-party parts prolong the capabilities of the core product, however they’re additionally problematic for safety groups as a result of they considerably enhance the assault floor of the core product,” he explains, including that vetting these merchandise can also be difficult due to their sheer quantity and lack of clear provenance.

“Safety groups have rudimentary approaches, most frequently giving a cursory take a look at what I name the three Ps: recognition, objective, and permissions,” Yu notes. “Much like app shops managed by Apple and Google, extra vetting must be executed by the marketplaces to make sure that malicious [plug-ins, integrations, and third-party apps] don’t create issues for his or her prospects,” he notes.

One other drawback is that whereas WordPress is extensively used, it typically is managed by advertising and marketing or Internet-design professionals and never IT or safety professionals, says Bud Broomhead, CEO at Viakoo.

“Putting in is simple and eradicating is an afterthought or by no means executed,” Broomhead tells Darkish Studying. “Identical to the assault floor has shifted to IoT/OT/ICS, risk actors purpose for methods not managed by IT, particularly ones which might be extensively used like WordPress.”

Broomhead provides, “Even with WordPress issuing alerts about plug-ins being vulnerabilities, different priorities than safety might delay the removing of malicious plug-ins.”

About the author

admin

Leave a Comment