Malicious threat actors have been discovered abusing the BackupBuddy zero-day flaw, a WordPress plugin for taking a backup of an entire WordPress installation within a dashboard.
The zero-day in the BackupBuddy plugin is in a function dubbed Local Directory Copy that system operators develop to save a local copy of the backups. The flaw began to materialise after an insecure implementation occurred.
The newly discovered flaw enables a malicious entity to download arbitrary files from the affected site and includes sensitive information when abused. Researchers tracked the new zero-day as CVE-2022-31474, impacting WordPress versions from 8.5.8.0 to 8.7.4.1.
Fortunately, the vulnerability has been patched in version 8.7.5, published by the affected vendor earlier this month.
In addition, the zero-day vulnerability allows a malicious threat actor to review the contents of any targeted file on the server. WordPress installation could read the contents; hence, a malicious entity can easily choose the files for the target.
One of the files that an actor could review using the flaw is the wp-config[.]file. Additionally, specific sensitive files at /etc/passwd could be reviewed by the actors based on a server setup.
The first sighting of the abuse in BackupBuddy zero-day flaw happened last month.
Researchers initially noticed the abuse of the BackupBuddy zero-day flaw last August 26th, and a security firm has blocked more than five million attacks in the intervening time.
The researchers noticed that most attempted breaches have tried to review the files in the /wp-config[.]php, .accesshash, /etc/passwd, and .my[.]cnf. Unfortunately, the cybersecurity researchers were unsure about the extent of the breach since they did not know if the abusers had acquired what they wanted.
However, the security team does not reveal additional details about the site’s vulnerability because of active abuse and ease of exploitation.
Experts suggest that the BackupBuddy plugin users should update their WordPress to the latest 8.7.5 version. Furthermore, they should identify whether they were targeted and reset their database password.
Lastly, affected websites should rotate their API keys stored in the wp-config[.]php and alter the WordPress Salts.
