Attackers are actively exploiting a critical vulnerability in BackupBuddy, a WordPress plug-in that an estimated 140,000 websites are using to back up their installations.
The vulnerability allows attackers to read and download arbitrary files from affected websites, including those containing configuration information and sensitive data such as passwords that can be used for further compromise.
WordPress security vendor Wordfence reported observing attacks targeting the flaw beginning Aug. 26, and said it has blocked close to 5 million attacks since then. The plug-in’s developer, iThemes, issued a patch for the flaw on Sept. 2, more than one week after the attacks began. That raises the possibility that at least some WordPress sites using the software were compromised before a fix became available for the vulnerability.
A Directory Traversal Bug
In a statement on its website, iThemes described the directory traversal vulnerability as impacting websites running BackupBuddy versions 22.214.171.124 through 126.96.36.199. It urged users of the plug-in to immediately update to BackupBuddy version 8.75, even if they are not currently using a vulnerable version of the plug-in.
“This vulnerability could allow an attacker to view the contents of any file on your server that can be read by your WordPress installation,” the plug-in maker warned.
iThemes’ alerts provided guidance on how site operators can determine if their website has been compromised and steps they can take to restore security. These measures included resetting the database password, changing their WordPress salts, and rotating API keys and other secrets in their site-configuration file.
Wordfence said it had seen attackers using the flaw to try to retrieve “sensitive files such as the /wp-config.php and /etc/passwd file which can be used to further compromise a victim.”
WordPress Plug-in Security: An Endemic Problem
The BackupBuddy flaw is just one of thousands of flaws that have been disclosed in WordPress environments — almost all of them involving plug-ins — in recent years.
In a report earlier this year, iThemes said it identified a total of 1,628 disclosed WordPress vulnerabilities in 2021 — and more than 97% of them impacted plug-ins. Nearly half (47.1%) were rated as being of high to critical severity. And troublingly, 23.2% of vulnerable plug-in had no known fix.
A quick scan of the National Vulnerability Database (NVD) by Dark Reading showed that several dozen vulnerabilities impacting WordPress sites have been disclosed so far in the first week of September alone.
Vulnerable plug-ins are not the only concern for WordPress sites; malicious plug-ins are another issue. A large-scale study of over 400,000 websites that researchers at the Georgia Institute of Technology conducted uncovered a staggering 47,337 malicious plug-ins installed on 24,931 websites, most of them still active.
Sounil Yu, CISO at JupiterOne, says the risks inherent in WordPress environments are like those present in any environment that leverages plug-ins, integrations, and third-party applications to extend functionality.
“As with smartphones, such third-party components extend the capabilities of the core product, but they are also problematic for security teams because they significantly increase the attack surface of the core product,” he explains, adding that vetting these products is also challenging because of their sheer number and lack of clear provenance.
“Security teams have rudimentary approaches, most often giving a cursory look at what I call the three Ps: popularity, purpose, and permissions,” Yu notes. “Similar to app stores managed by Apple and Google, more vetting needs to be done by the marketplaces to ensure that malicious [plug-ins, integrations, and third-party apps] do not create problems for their customers,” he notes.
Another problem is that while WordPress is widely used, it often is managed by marketing or Web-design professionals and not IT or security professionals, says Bud Broomhead, CEO at Viakoo.
“Installing is easy and removing is an afterthought or never done,” Broomhead tells Dark Reading. “Just like the attack surface has shifted to IoT/OT/ICS, threat actors aim for systems not managed by IT, especially ones that are widely used like WordPress.”
Broomhead adds, “Even with WordPress issuing alerts about plug-ins being vulnerabilities, other priorities than security may delay the removal of malicious plug-ins.”