iThemes Patches Vulnerability in BackupBuddy, Wordfence Tracks 5 Million Exploit Attempts

BackupBuddy, a commercial plugin from iThemes that performs scheduled backups with remote storage options, has patched a vulnerability that allowed for arbitrary file download by unauthenticated users. iThemes published an advisory for its users, indicating that the vulnerability affects versions 8.5.8.0 through 8.7.4.1 and is being actively exploited.

Wordfence reviewed its data and found that attackers began targeting this vulnerability on August 26, 2022. The company has blocked nearly 5 million attacks targeting the vulnerability since that time.

Wordfence found that the method BackupBuddy used to download locally stored files was insecurely implemented, making it possible for unauthenticated users to download any file stored on the server.

“Due to this vulnerability being actively exploited, and its ease of exploitation, we are sharing minimal details about this vulnerability,” Wordfence threat analyst Chloe Chamberland said.

Wordfence found the majority of the attacks are attempting to read sensitive files, including the following:

  • /etc/passwd
  • /wp-config.php
  • .my.cnf
  • .accesshash

iThemes published specific indicators of compromise and detailed steps to detect if a site was attacked. The company outlined additional steps for sites that have been compromised.

All BackupBuddy users are advised to update to the patched version 8.7.5. iThemes made it available to all users, regardless of their current BackupBuddy licensing status, due to the severity of the vulnerability.

1

One response to “iThemes Patches Vulnerability in BackupBuddy, Wordfence Tracks 5 Million Exploit Attempts”

  1. According to their information on the versions affected, the vulnerability was in the code for over two years. The vulnerability should have been caught by a security review, as it involves a common starting point for vulnerable code exploited by hackers.

    It’s quite troubling that the developer of one of the most popular WordPress security plugins, iThemes Security, isn’t having the security of their other plugins professionally reviewed.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Newsletter

Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: