Attackers are actively exploiting a essential vulnerability in BackupBuddy, a WordPress plug-in that an estimated 140,000 web sites are utilizing to again up their installations.
The vulnerability permits attackers to learn and obtain arbitrary information from affected web sites, together with these containing configuration data and delicate knowledge corresponding to passwords that can be utilized for additional compromise.
WordPress safety vendor Wordfence reported observing assaults concentrating on the flaw starting Aug. 26, and stated it has blocked shut to five million assaults since then. The plug-in’s developer, iThemes, issued a patch for the flaw on Sept. 2, multiple week after the assaults started. That raises the chance that no less than some WordPress websites utilizing the software program have been compromised earlier than a repair turned out there for the vulnerability.
A Listing Traversal Bug
In a press release on its web site, iThemes described the listing traversal vulnerability as impacting web sites working BackupBuddy variations 8.5.8.0 by means of 8.7.4.1. It urged customers of the plug-in to right away replace to BackupBuddy model 8.75, even when they don’t seem to be presently utilizing a susceptible model of the plug-in.
“This vulnerability might enable an attacker to view the contents of any file in your server that may be learn by your WordPress set up,” the plug-in maker warned.
iThemes’ alerts offered steerage on how website operators can decide if their web site has been compromised and steps they will take to revive safety. These measures included resetting the database password, altering their WordPress salts, and rotating API keys and different secrets and techniques of their site-configuration file.
Wordfence stated it had seen attackers utilizing the flaw to attempt to retrieve “delicate information such because the /wp-config.php and /and so on/passwd file which can be utilized to additional compromise a sufferer.”
WordPress Plug-in Safety: An Endemic Drawback
The BackupBuddy flaw is only one of hundreds of flaws which were disclosed in WordPress environments — virtually all of them involving plug-ins — lately.
In a report earlier this yr, iThemes stated it recognized a complete of 1,628 disclosed WordPress vulnerabilities in 2021 — and greater than 97% of them impacted plug-ins. Almost half (47.1%) have been rated as being of excessive to essential severity. And troublingly, 23.2% of susceptible plug-in had no recognized repair.
A fast scan of the Nationwide Vulnerability Database (NVD) by Darkish Studying confirmed that a number of dozen vulnerabilities impacting WordPress websites have been disclosed up to now within the first week of September alone.
Weak plug-ins will not be the one concern for WordPress websites; malicious plug-ins are one other difficulty. A big-scale examine of over 400,000 web sites that researchers on the Georgia Institute of Know-how performed uncovered a staggering 47,337 malicious plug-ins put in on 24,931 web sites, most of them nonetheless lively.
Sounil Yu, CISO at JupiterOne, says the dangers inherent in WordPress environments are like these current in any surroundings that leverages plug-ins, integrations, and third-party purposes to increase performance.
“As with smartphones, such third-party elements lengthen the capabilities of the core product, however they’re additionally problematic for safety groups as a result of they considerably enhance the assault floor of the core product,” he explains, including that vetting these merchandise can be difficult due to their sheer quantity and lack of clear provenance.
“Safety groups have rudimentary approaches, most frequently giving a cursory take a look at what I name the three Ps: reputation, function, and permissions,” Yu notes. “Just like app shops managed by Apple and Google, extra vetting must be finished by the marketplaces to make sure that malicious [plug-ins, integrations, and third-party apps] don’t create issues for his or her clients,” he notes.
One other downside is that whereas WordPress is broadly used, it typically is managed by advertising and marketing or Internet-design professionals and never IT or safety professionals, says Bud Broomhead, CEO at Viakoo.
“Putting in is simple and eradicating is an afterthought or by no means finished,” Broomhead tells Darkish Studying. “Identical to the assault floor has shifted to IoT/OT/ICS, risk actors goal for programs not managed by IT, particularly ones which are broadly used like WordPress.”
Broomhead provides, “Even with WordPress issuing alerts about plug-ins being vulnerabilities, different priorities than safety could delay the removing of malicious plug-ins.”
