Hackers Exploit Zero-Day in WordPress BackupBuddy Plugin in ~5 Million Attempts

Home/Exploitation, Malware, Security Advisory, Security Update, vulnerability, wordpress/Hackers Exploit Zero-Day in WordPress BackupBuddy Plugin in ~5 Million Attempts

Hackers Exploit Zero-Day in WordPress BackupBuddy Plugin in ~5 Million Attempts

A zero-day flaw in a WordPress plugin known as BackupBuddy is being actively exploited, WordPress safety firm Wordfence has disclosed.


  • The BackupBuddy vulnerability impacts versions through and is under attack since August 27th.
  • The patch was released on September 2 and iThemes warned users about the ongoing attack campaign exploiting the vulnerability.
  • Wordfence also confirmed the attack and stated that their firewall blocked approximately 5 million attacks in a short period of time.

The issue – tracked as CVE-2022-31474 with a CVSS score of 7.5 – enables unauthenticated attackers to download sensitive files from vulnerable sites. A majority of observed attacks apparently attempted to read /etc/passwd, /wp-config.php, .my.cnf, or .accesshash files, which could be leveraged to further compromise victims, said Wordfence.

Zero-day vulnerability under attack

The plugin is estimated to have round 140,000 lively installations, with the flaw (CVE-2022-31474, CVSS rating: 7.5) affecting variations to eight.7.4.1. It has been addressed in model 8.7.5 launched on September 2, 2022.

 If you have determined that your site may have been compromised, you can perform the following steps:

  1. Reset your database password. 
  2. Change your WordPress salts. 
  3. Rotate other secrets in wp-config.php.

Wordfence also confirmed that the vulnerability is under attack and stated that the company’s firewall has blocked more than 4.9 million attempts since August 26. The top 10 Attacking IP Addresses are as follows:

  • with 1,960,065 attacks blocked
  • with 482,604 attacks blocked
  • with 366770 attacks blocked
  • with 344604 attacks blocked
  • with 341,309 attacks blocked
  • with 320,187 attacks blocked
  • with 303,844 attacks blocked
  • with 302,136 attacks blocked
  • with 277,545 attacks blocked
  • with 211,924 attacks blocked

Most of the intrusions have attempted to read the below files –

  • /etc/passwd
  • /wp-config.php
  • .my.cnf
  • .accesshash

iThemes concluded: “This incident, like many others experienced by other vendors in the past, underscores how security-aware WordPress users have become.

Follow Us on: Twitter, InstagramFacebook to get the latest security news!

By | 2022-09-09T22:08:40+05:30 September 9th, 2022|Exploitation, Malware, Security Advisory, Security Update, vulnerability, wordpress|

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!