WordPress Vulnerability Report, Special Edition – September 6, 2022: BackupBuddy
We recently discovered a security vulnerability in our BackupBuddy plugin. The vulnerability could allow a breach of your WordPress site, so we are asking all customers to confirm your sites are running version 8.7.5 or higher of the BackupBuddy plugin. Who This Vulnerability Impacts This vulnerability only impacts sites running BackupBuddy versions 8.
We recently discovered a security vulnerability in our BackupBuddy plugin. The vulnerability could allow a breach of your WordPress site, so we are asking all customers to confirm your sites are running version 8.7.5 or higher of the BackupBuddy plugin.
BackupBuddy
- Plugin:
- BackupBuddy
- Vulnerability:
- Directory Traversal Vulnerability
- Patched in Version:
- 8.7.5
- Severity Score:
- High
Who This Vulnerability Impacts
This vulnerability only impacts sites running BackupBuddy versions 8.5.8.0 through 8.7.4.1.
We have indications that this vulnerability is being actively exploited in the wild. We were notified of suspicious activity related to a BackupBuddy installation on September 2nd, 2022. The earliest exploits we have discovered appear to have started on August 27th, 2022.
- Once we identified the exploit, we released a patch on September 2, 2022, to resolve the exploit in BackupBuddy version 8.7.5.
- We have made this security update available to all vulnerable BackupBuddy versions (8.5.8 – 8.7.4.1), regardless of your current BackupBuddy licensing status, so no one continues to run a vulnerable version of the BackupBuddy plugin.
- We also pushed auto-updates for all iThemes Sync users who have BackupBuddy installed.
What Information Can Hackers Get Access To?
This vulnerability could allow an attacker to view the contents of any file on your server that can be read by your WordPress installation. This could include the WordPress wp-config.php file and, depending on your server setup, sensitive files like /etc/passwd.
Indicators of Compromise
To detect if your site was attacked, look for the following indicators of compromise. Search your server’s access logs for any text that contains local-destination-id and /etc/passwd or wp-config.php with an HTTP 2xx Response. (If you need help with this, please reach out to our support team by creating a support ticket on the iThemes Help Desk.)
What You Should Do: Recommended Next Steps
1. Update BackupBuddy to version 8.7.5 immediately.
Please update to BackupBuddy 8.7.5. immediately to fix this exploit. Even if you aren’t running one of the vulnerable versions of BackupBuddy, we still recommend updating to BackupBuddy 8.7.5 as a best practice for running the latest versions of all your plugins and themes.
Running BackupBuddy on multiple WordPress sites? Use iThemes Sync to quickly update all your sites to BackupBuddy 8.7.5.
2. Follow the steps in the previous section to search for a compromise.
If you have determined that your site may have been compromised, we recommend performing the following steps.
- Reset your database password. You may have to reach out to your hosting provider to help you with this.
- Change your WordPress salts. iThemes Security can do this for you automatically via Tools > Change WordPress Salts. You can update them manually following our guide on how to change your WordPress salts and keys.
- Rotate other secrets in wp-config.php. You may have stored API keys for services like Amazon S3 in your
wp-config.phpfile. If so, these should be reset and updated.
If your server has an exposed phpMyAdmin installation, or your WordPress server connects to a publicly accessible database server, we recommend restoring to a backup from a date prior to the earliest logged access attempt. If this isn’t possible, engage a Hack Repair service to help you manually clean your WordPress website. At a minimum, you should search for and remove any suspicious administrator users on your website and reset the passwords for all other administrator users.
If you manage your own server
- Consider rotating SSH passwords for all users. An attacker could brute force the hashed password in the file and possibly continue to gain further unauthorized access to your server.
- Consider updating your web user’s SSH keys. An attacker could read the private SSH key file and the associated known hosts that the web user might have accessed previously.
Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. Please share this post with your friends to help get the word out and make WordPress safer for everyone!
Questions?
Our support team is standing by if you have questions or need help. Please open a ticket through the iThemes Help Desk.
Join us for the next Solid Academy Webinar!
Free weekly webinars that will help you master WordPress and increase your business's bottom line.
What is a WordPress Phishing Attack?
Learn how to identify and prevent phishing attacks on WordPress websites.
Kiki SheldonWebsite Protection: 5 Ways to Keep Your Website Safe
Robust website protection is the shield that stands between your business and relentless cyber attacks. Prioritizing website protection enables businesses to fortify defenses to safeguard their online presence and preserve the trust of their customers in the face of ever-evolving cybersecurity threats.
Kiki Sheldon23 Ideas To Grow Your WordPress Business in 2023
WordPress is the most popular website-building platform worldwide, trusted by numerous brands. WordPress enables you to build a user-friendly and highly reliable site, together with tools and plugins to enhance your marketing and work like a lead magnet. All these features make WordPress the platform chosen by more than 43% of businesses globally.
SolidWP Editorial TeamSign up now — Get SolidWP updates and valuable content straight to your inbox
Sign up
Get started with confidence — risk free, guaranteed
