Why it matters: WordPress plugin developer, iThemes, alerted users to a vulnerability related to their BackupBuddy extension earlier this week. The security hole leaves plugin users susceptible to unauthorized access by malicious actors, providing them with the opportunity to steal sensitive files and information. The flaw affects any sites running BackupBuddy 126.96.36.199 through 188.8.131.52. Users should update to version 8.7.5 to patch the hole.
According to iThemes researchers, Hackers are actively exploiting the vulnerability (CVE-2022-31474) across impacted systems using specific versions of the BackupBuddy plugin. The exploit allows attackers to view the contents of any WordPress-accessible file on the affected server. This includes those with sensitive information, including /etc/passwd, /wp-config.php, .my.cnf, and .accesshash. These files can provide unauthorized access to system user details, WordPress database settings, and even authentication permissions to the affected server as the root user.
Administrators and other users can take steps to determine if their site was compromised. Authorized users can review an impacted server’s logs containing local-destination-id and /etc/passed or wp-config.php that return an HTTP 2xx response code, indicating a successful response was received.
WordPress security solution developer Wordfence identified millions of attempts to exploit the vulnerability dating back to August 26th. According to Wordfence security researchers, users and administrators should check server logs for references to the aforementioned local-destination-id folder and the local-download folder. The PSA went on to list the top IPs associated with the attempted attacks, which include:
- 184.108.40.206 with 1,960,065 attacks blocked
- 220.127.116.11 with 482,604 attacks blocked
- 18.104.22.168 with 366,770 attacks blocked
- 22.214.171.124 with 344,604 attacks blocked
- 126.96.36.199 with 341,309 attacks blocked
- 188.8.131.52 with 320,187 attacks blocked
- 184.108.40.206 with 303,844 attacks blocked
- 220.127.116.11 with 302,136 attacks blocked
- 18.104.22.168 with 277,545 attacks blocked
- 22.214.171.124 with 211,924 attacks blocked
Researchers at iTheme provide compromised BackupBuddy users with several steps designed to mitigate and prevent further unauthorized access. These steps include resetting WordPress database passwords, changing WordPress salts, updating API keys stored in the wp-config.php file, and updating SSH passwords and keys. Customers requiring additional support can submit support tickets via the iThemes Help Desk.
Image credit: Justin Morgan