Security researchers have discovered a new zero-day vulnerability affecting BackupBuddy, a WordPress plugin with more than 140,000 installs. The exploit allowed attackers to download files from the affected websites.
Criminals often target WordPress plugins so they can compromise websites with vulnerable components. Since web admins often neglect to install the latest versions of the various software and plugins running websites, the ground for cyberattacks is fertile.
But that’s assuming the developers know about vulnerabilities and have already released patches. In other situations, criminals use zero-day vulnerabilities, and no patches are available yet.
“After reviewing historical data, we determined that attackers started targeting this vulnerability on August 26, 2022, and that we have blocked 4,948,926 attacks targeting this vulnerability since that time,” said the security researchers from Wordfence.
“The vulnerability affects versions 8.5.8.0 to 8.7.4.1, and has been fully patched as of September 2, 2022 in version 8.7.5. Due to the fact that this is an actively exploited vulnerability, we strongly encourage you to ensure your site has been updated to the latest patched version 8.7.5 which iThemes has made available,” the researchers added.
The problem with this vulnerability is that it’s being exploited in the wild, so researchers haven’t said much about it. However, they registered over 4.9 million exploit attempts targeting this vulnerability since Aug 26, 2022. Among the files that attackers try to download are /wp-config.php and /etc/passwd, which could give them even more sensitive information.
Fortunately, the vulnerability received a patch, and users of the BackupBuddy plugin are advised to upgrade their installation to version 8.7.5 as soon as possible. Given the size of the install base, it will take a while until the patch disseminates to all users, which means this attack will continue for some time.