A zero-day flaw in a WordPress plugin known as BackupBuddy is being actively exploited, WordPress safety firm Wordfence has disclosed.
- The BackupBuddy vulnerability impacts versions 22.214.171.124 through 126.96.36.199 and is under attack since August 27th.
- The patch was released on September 2 and iThemes warned users about the ongoing attack campaign exploiting the vulnerability.
- Wordfence also confirmed the attack and stated that their firewall blocked approximately 5 million attacks in a short period of time.
The issue – tracked as CVE-2022-31474 with a CVSS score of 7.5 – enables unauthenticated attackers to download sensitive files from vulnerable sites. A majority of observed attacks apparently attempted to read /etc/passwd, /wp-config.php, .my.cnf, or .accesshash files, which could be leveraged to further compromise victims, said Wordfence.
Zero-day vulnerability under attack
The plugin is estimated to have round 140,000 lively installations, with the flaw (CVE-2022-31474, CVSS rating: 7.5) affecting variations 188.8.131.52 to eight.7.4.1. It has been addressed in model 8.7.5 launched on September 2, 2022.
If you have determined that your site may have been compromised, you can perform the following steps:
- Reset your database password.
- Change your WordPress salts.
- Rotate other secrets in wp-config.php.
Wordfence also confirmed that the vulnerability is under attack and stated that the company’s firewall has blocked more than 4.9 million attempts since August 26. The top 10 Attacking IP Addresses are as follows:
- 184.108.40.206 with 1,960,065 attacks blocked
- 220.127.116.11 with 482,604 attacks blocked
- 18.104.22.168 with 366770 attacks blocked
- 22.214.171.124 with 344604 attacks blocked
- 126.96.36.199 with 341,309 attacks blocked
- 188.8.131.52 with 320,187 attacks blocked
- 184.108.40.206 with 303,844 attacks blocked
- 220.127.116.11 with 302,136 attacks blocked
- 18.104.22.168 with 277,545 attacks blocked
- 22.214.171.124 with 211,924 attacks blocked
Most of the intrusions have attempted to read the below files –
iThemes concluded: “This incident, like many others experienced by other vendors in the past, underscores how security-aware WordPress users have become.