BackupBuddy is a popular WordPress backup plugin used by lakhs of websites to take backup of WordPress websites. WordPress security company Wordfence has just disclosed that hackers are now actively exploiting a zero-day flaw in a BackupBuddy to download sensitive information from the website. The vulnerability tracked as CVE-2022-31474 with a CVSS score of 7.5
The vulnerability lets unauthenticated users download arbitrary files from the affected site. These arbitrary files may contain sensitive information.
WordFence also claims to have blocked nearly 5 million attacks targeting this vulnerability since August 26, 2022. In most attacks, attackers are trying to read wp-config.php, .my.cnf, .accesshash, and /etc/passwd files.
“We have made this security update available to all vulnerable BackupBuddy versions (8.5.8 – 8.7.4.1), regardless of your current BackupBuddy licensing status, so no one continues to run a vulnerable version of the BackupBuddy plugin,” says ithemes, the developer of BackupBuddy plugin.
The vulnerability affects BackupBuddy versions 8.5.8.0 to 8.7.4.1. BackupBuddy version 8.7.5 has fixed the vulnerability. So update to the latest version of BackupBuddy on your website if you are using this plugin. BackupBuddy is a popular plugin with more than 140k active installations. All these websites are at risk if they don’t update to the latest version.
