A severe zero-day vulnerability in the Backup Buddy plugin has been revealed. The researchers detected millions of exploitation attempts for the flaw before it received a patch. Since the vulnerability has already caught the attention of criminal hackers, WordPress users must ensure to update their websites with the latest plugin version to receive the patch.
Backup Buddy Zero-Day Vulnerability
According to a recent post from Wordfence, they noticed active exploitation of a zero-day vulnerability in the Backup Buddy WordPress plugin.
Backup Buddy is a dedicated plugin for WordPress sites enabling users to manage site backups. The plugin also allows users to manage the backups in multiple cloud locations, such as AWS, Google Drive, etc., alongside supporting local backup storage. That’s where the vulnerability existed.
The researchers noticed that this local download feature for backup files had insecure implementation. Thus, an adversary could easily download any arbitrary file from the server. Describing the exact cause triggering the glitch, the researchers stated in their post,
More specifically the plugin registers an
admin_inithook for the function intended to download local backup files and the function itself did not have any capability checks nor any nonce validation.
Hence, an adversary could download any file from the backup by calling the function from any administrative page, even without authentication.
According to Wordfence, they could detect (and block) at least 49 million exploitation attempts on this vulnerability since August 2022. The attackers originated from multiple IP addresses, each waging several thousand attack attempts. Most of these attacks intended to obtain sensitive information by accessing the files /etc/passwd, /wp-config.php, .my.cnf, and .accesshash.
Patch Deployed
The researchers found the vulnerability affecting the plugin versions 8.5.8.0 to 8.7.4.1. Following the researchers’ report, the vendors fixed the flaw with the release of the Backup Buddy plugin version 8.7.5.
Given the flaw’s active exploitation and the subsequent patch release, Wordfence urges users to update their sites with the latest plugin version.
Moreover, users should also check their websites for a possible compromise by looking for the local-download and local-destination-id parameter value in the requests in the access log. According to Wordfence,
Presence of these parameters along with a full path to a file or the presence of
../../to a file indicates the site may have been targeted for exploitation by this vulnerability.
Let us know your thoughts in the comments.