The top 10 Attacking IP Addresses are as follows: We are seeing attackers attempting to retrieve sensitive files such as the /wp-config.php and /etc/passwd file which can be used to further compromise a victim. The Wordfence firewall has blocked over 4.9 million exploit attempts targeting this vulnerability since August 26, 2022, which is the first indication we have that this vulnerability was being exploited. The back-up path is not validated and therefore an arbitrary file could be supplied and subsequently downloaded.ĭue to this vulnerability being actively exploited, and its ease of exploitation, we are sharing minimal details about this vulnerability. This means that the function could be triggered via any administrative page, including those that can be called without authentication (admin-post.php), making it possible for unauthenticated users to call the function. More specifically the plugin registers an admin_init hook for the function intended to download local back-up files and the function itself did not have any capability checks nor any nonce validation. Unfortunately, the method to download these locally stored files was insecurely implemented making it possible for unauthenticated users to download any file stored on the server. There is also the ability to store back-up downloads locally via the ‘Local Directory Copy’ option. One of the features in the plugin is to store back-up files in multiple different locations, known as Destinations, which includes Google Drive, OneDrive, and AWS just to name a few. The BackupBuddy plugin for WordPress is designed to make back-up management easy for WordPress site owners. Vulnerability Detailsĭescription: Arbitrary File Download/ReadĬVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Wordfence Premium, Care, & Response, customers receive enhanced protection as attackers heavily targeting the vulnerability are blocked by the IP Blocklist. Due to the fact that this is an actively exploited vulnerability, we strongly encourage you to ensure your site has been updated to the latest patched version 8.7.5 which iThemes has made available to all site owners running a vulnerable version regardless of licensing status.Īll Wordfence customers, including Wordfence Premium, Wordfence Care, Wordfence Response, and Wordfence Free users, have been, and will continue to be, protected against any attackers trying to exploit this vulnerability due to the Wordfence firewall’s built-in directory traversal and file inclusion firewall rules. The vulnerability affects versions 8.5.8.0 to 8.7.4.1, and has been fully patched as of Septemin version 8.7.5. This vulnerability makes it possible for unauthenticated users to download arbitrary files from the affected site which can include sensitive information.Īfter reviewing historical data, we determined that attackers started targeting this vulnerability on August 26, 2022, and that we have blocked 4,948,926 attacks targeting this vulnerability since that time. Late evening, on September 6, 2022, the Wordfence Threat Intelligence team was alerted to the presence of a vulnerability being actively exploited in BackupBuddy, a WordPress plugin we estimate has around 140,000 active installations. PSA: Nearly 5 Million Attacks Blocked Targeting 0-Day in BackupBuddy Plugin
0 Comments
Leave a Reply. |