Menu
iThemes
WordPress Security, Backups & Maintenance
WordPress News and Updates from iThemes
Categories

WordPress Vulnerability Report, Special Edition – September 6, 2022: BackupBuddy

Written by on

Last Updated on September 7, 2022

We recently discovered a security vulnerability in our BackupBuddy plugin. The vulnerability could allow a breach of your WordPress site, so we are asking all customers to confirm your sites are running version 8.7.5 or higher of the BackupBuddy plugin.

BackupBuddy

Product image for BackupBuddy.
Plugin
BackupBuddy
Vulnerability
Directory Traversal Vulnerability
Patched in Version
8.7.5
Severity Score
High
The vulnerability has been patched, so you should update to version 8.7.5.

Who This Vulnerability Impacts

This vulnerability only impacts sites running BackupBuddy versions 8.5.8.0 through 8.7.4.1.

We have indications that this vulnerability is being actively exploited in the wild. We were notified of suspicious activity related to a BackupBuddy installation on September 2nd, 2022. The earliest exploits we have discovered appear to have started on August 27th, 2022.

  • Once we identified the exploit, we released a patch on September 2, 2022, to resolve the exploit in BackupBuddy version 8.7.5.
  • We have made this security update available to all vulnerable BackupBuddy versions (8.5.8 – 8.7.4.1), regardless of your current BackupBuddy licensing status, so no one continues to run a vulnerable version of the BackupBuddy plugin.
  • We also pushed auto-updates for all iThemes Sync users who have BackupBuddy installed.

What Information Can Hackers Get Access To?

This vulnerability could allow an attacker to view the contents of any file on your server that can be read by your WordPress installation. This could include the WordPress wp-config.php file and, depending on your server setup, sensitive files like /etc/passwd.

Indicators of Compromise

To detect if your site was attacked, look for the following indicators of compromise. Search your server’s access logs for any text that contains local-destination-id and /etc/passwd or wp-config.php with an HTTP 2xx Response. (If you need help with this, please reach out to our support team by creating a support ticket on the iThemes Help Desk.)

What You Should Do: Recommended Next Steps

1. Update BackupBuddy to version 8.7.5 immediately.

Please update to BackupBuddy 8.7.5. immediately to fix this exploit. Even if you aren’t running one of the vulnerable versions of BackupBuddy, we still recommend updating to BackupBuddy 8.7.5 as a best practice for running the latest versions of all your plugins and themes.

Running BackupBuddy on multiple WordPress sites? Use iThemes Sync to quickly update all your sites to BackupBuddy 8.7.5.

2. Follow the steps in the previous section to search for a compromise.

If you have determined that your site may have been compromised, we recommend performing the following steps.

  1. Reset your database password. You may have to reach out to your hosting provider to help you with this.
  2. Change your WordPress salts. iThemes Security can do this for you automatically via Tools > Change WordPress Salts. You can update them manually following our guide on how to change your WordPress salts and keys.
  3. Rotate other secrets in wp-config.php. You may have stored API keys for services like Amazon S3 in your wp-config.php file. If so, these should be reset and updated.

If your server has an exposed phpMyAdmin installation, or your WordPress server connects to a publicly accessible database server, we recommend restoring to a backup from a date prior to the earliest logged access attempt. If this isn’t possible, engage a Hack Repair service to help you manually clean your WordPress website. At a minimum, you should search for and remove any suspicious administrator users on your website and reset the passwords for all other administrator users.

If you manage your own server

  1. Consider rotating SSH passwords for all users. An attacker could brute force the hashed password in the file and possibly continue to gain further unauthorized access to your server.
  2. Consider updating your web user’s SSH keys. An attacker could read the private SSH key file and the associated known hosts that the web user might have accessed previously.

Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. Please share this post with your friends to help get the word out and make WordPress safer for everyone!

Questions?

Our support team is standing by if you have questions or need help. Please open a ticket through the iThemes Help Desk.

Other related posts
A security-riddled computer monitor. There is a large, orange shield with a slash in the middle of the screen. Surrounding it are a red target, a green skull and crossbones, an orange “bug”, a triangle with an explanation point in the middle and a gray gear.
WordPress Vulnerability Report – January 25, 2023
WordPress vulnerability report
WordPress Vulnerability Report – January 18, 2023
A computer riddled with security issue alerts. There is a large, orange shield with a slash in the middle of the screen. Surrounding it are a red target, a green skull and crossbones, an orange “bug”, a triangle with an explanation point in the middle and a gray gear.
WordPress Vulnerability Report – January 11, 2023
WordPress Vulnerability Report
WordPress Vulnerability Report – January 4, 2023
Copy link
CopyCopied
Powered by Social Snap