CVE-2022-31474: 0-day WordPress BackupBuddy plugin affects 140,000 websites
A high-severity vulnerability in the BackupBuddy WordPress plugin can allow an unauthenticated attacker to obtain website backups that could contain sensitive information.
BackupBuddy is a WordPress premium plugin that has a lot of great features for backing up and restoring websites. It has a very easy-to-use interface and is one of the best WordPress full-site backup plugins available. This plugin has been around since 2010 and is very well known and respected. This plugin has around 140,000 active installations.
On September 2, the plugin’s developers released an update to address CVE-2022-31474 (CVSS score of 7.5), a security error that allows “an attacker to view the contents of any file on your server that can be read by your WordPress installation. This could include the WordPress wp-config.php file and, depending on your server setup, sensitive files like /etc/passwd.”
According to Wordfence, an unauthenticated attacker can exploit the flaw to download arbitrary files from the affected site which can include sensitive information.
When discovered, the flaw was being actively exploited, and Wordfence warned WordPress website administrators that the plugin had been updated with a new version, urging them to upgrade it immediately.
Over the past two weeks, Wordfence has seen a massive surge in the number of attack attempts targeting the vulnerability, with 4,948,926 attacks. The top 10 Attacking IP Addresses are as follows:
- 188.8.131.52 with 1,960,065 attacks blocked
- 184.108.40.206 with 482,604 attacks blocked
- 220.127.116.11 with 366770 attacks blocked
- 18.104.22.168 with 344604 attacks blocked
- 22.214.171.124 with 341,309 attacks blocked
- 126.96.36.199 with 320,187 attacks blocked
- 188.8.131.52 with 303,844 attacks blocked
- 184.108.40.206 with 302,136 attacks blocked
- 220.127.116.11 with 277,545 attacks blocked
- 18.104.22.168 with 211,924 attacks blocked
A majority of the attacks we have observed are attempting to read the following files:
The CVE-2022-31474 vulnerability only impacts sites running BackupBuddy versions 22.214.171.124 through 126.96.36.199. A complete patch was released last week when BackupBuddy version 8.7.5 was rolled out. WordPress admins are advised to update to a patched version of the plugin as soon as possible.