BackupBuddy, a commercial plugin from iThemes that performs scheduled backups with remote storage options, has patched a vulnerability that allowed for arbitrary file download by unauthenticated users. iThemes published an advisory for its users, indicating that the vulnerability affects versions 8.5.8.0 through 8.7.4.1 and is being actively exploited.
Wordfence reviewed its data and found that attackers began targeting this vulnerability on August 26, 2022. The company has blocked nearly 5 million attacks targeting the vulnerability since that time.
Wordfence found that the method BackupBuddy used to download locally stored files was insecurely implemented, making it possible for unauthenticated users to download any file stored on the server.
“Due to this vulnerability being actively exploited, and its ease of exploitation, we are sharing minimal details about this vulnerability,” Wordfence threat analyst Chloe Chamberland said.
Wordfence found the majority of the attacks are attempting to read sensitive files, including the following:
- /etc/passwd
- /wp-config.php
- .my.cnf
- .accesshash
iThemes published specific indicators of compromise and detailed steps to detect if a site was attacked. The company outlined additional steps for sites that have been compromised.
All BackupBuddy users are advised to update to the patched version 8.7.5. iThemes made it available to all users, regardless of their current BackupBuddy licensing status, due to the severity of the vulnerability.
According to their information on the versions affected, the vulnerability was in the code for over two years. The vulnerability should have been caught by a security review, as it involves a common starting point for vulnerable code exploited by hackers.
It’s quite troubling that the developer of one of the most popular WordPress security plugins, iThemes Security, isn’t having the security of their other plugins professionally reviewed.