Analysts Wordfence discoveredthat a fresh bug in the popular WordPress plugin, BackupBuddy, which has been installed about 140,000 times, is under active attack. Since August 26, 2022, there have been about 5,000,000 hack attempts.
The BackupBuddy plugin allows users to backup their entire WordPress installation right from the dashboard, including theme files, pages, posts, widgets, users and media files and so on.
The zero-day vulnerability has been identified as CVE-2022-31474 (CVSS 7.5) and affects BackupBuddy versions 188.8.131.52 through 184.108.40.206. The problem was fixed in early September, with the release of version 8.7.5.
The researchers explain that the bug allows unauthorized parties to download arbitrary files from the vulnerable site that may contain sensitive information. It is known that the problem is related to the Local Directory Copy function, which is designed to store a local copy of backups.
“This vulnerability allows an attacker to view the contents of any file on the server that your WordPress installation can access. This can be the WordPress wp-config.php file or, depending on the server settings, confidential files such as /etc/passwd,” the experts warn.
According to Wordfence, the attacks on CVE-2022-31474 began on August 26, 2022, and since that date, nearly five million hack attempts have been recorded. Most hackers tried to read the following files:
BackupBuddy users are now strongly advised to update the plugin to the latest version. If users believe that they may have been compromised, it is recommended to immediately reset the database password, change the WordPress salts and API keys stored in wp-config.php.