Vulnerability exploited in the wild
On September 6, late evening, the Wordfence Threat intelligence team discovered a vulnerability being actively exploited in BackupBuddy, a WordPress login that has around 140,000 active installations.
The vulnerability allows unauthorised users to download arbitrary from the compromised site which may have sensitive data. It impacts versions 8.5.8.0 to 8.7.4.1, and was fully fixed by September 2, 2022, in version 8.7.5.
Because of the fact that it is an actively exploited vulnerability, experts recommend users make sure that their site is updated to the latest fixed version 8.7.5 which iThemes has made available to all site owners using a vulnerable version regardless of the licence status.
About the vulnerability
There is also an option to store backup downloads locally through the "Local Directory Copy" option. Sadly, the process to download these locally stored files was not executed safely, which can allow unauthorised users to download any file that is stored on the server.
How is the vulnerability exploited?
Notably, the plugin registers an admin_init hook for the function aimed to download local backup files and the process itself lacks any nonce validation or capability checks.
The backup location isn't validated; thus, an arbitrary file could be sneaked and downloaded.
Because of this vulnerability being exploited in the wild, due to its ease of exploitation, Wordfence has shared some details about the vulnerability.
How to stay safe?
If the site is breached, it may mean that BackupBuddy was the reason for the breach.
In its report, Wordfence concludes: