A zero-day flaw in a WordPress plugin known as BackupBuddy is being actively exploited, WordPress safety firm Wordfence has disclosed.
“This vulnerability makes it attainable for unauthenticated customers to obtain arbitrary information from the affected web site which may embrace delicate data,” it stated.
BackupBuddy permits customers to again up their total WordPress set up from throughout the dashboard, together with theme information, pages, posts, widgets, customers, and media information, amongst others.
The plugin is estimated to have round 140,000 lively installations, with the flaw (CVE-2022-31474, CVSS rating: 7.5) affecting variations 8.5.8.0 to eight.7.4.1. It has been addressed in model 8.7.5 launched on September 2, 2022.
The problem is rooted within the perform known as “Native Listing Copy” that is designed to retailer a neighborhood copy of the backups. In line with Wordfence, the vulnerability is the results of an insecure implementation, which permits an unauthenticated risk actor to obtain any arbitrary file on the server.
Extra particulars concerning the flaw have been withheld in mild of lively in-the-wild abuse and its ease of exploitation.
“This vulnerability might enable an attacker to view the contents of any file in your server that may be learn by your WordPress set up,” the plugin’s developer, iThemes, stated. “This might embrace the WordPress wp-config.php file and, relying in your server setup, delicate information like /and many others/passwd.”
Wordfence famous that the focusing on of CVE-2022-31474 commenced on August 26, 2022, and that it has blocked practically 5 million assaults at the moment interval. A lot of the intrusions have tried to learn the beneath information –
- /and many others/passwd
- /wp-config.php
- .my.cnf
- .accesshash
Customers of the BackupBuddy plugin are suggested to improve to the most recent model. Ought to customers decide that they could have been compromised, it is really helpful to reset the database password, change WordPress Salts, and rotate API keys saved in wp-config.php.