Skip to Content

Zero-Day Vulnerability in BackupBuddy WordPress Plugin

The developer of the BackupBuddy for WordPress has released an updated version of the plugin that fixes an actively exploited directory traversal vulnerability. The flaw allows unauthenticated users to download files from vulnerable sites. The issue affects BackupBuddy versions 8.5.8.0 to 8.7.4.1. iThemes has made BackupBuddy version 8.7.5, available to all site owners “regardless of licensing status.” BackupBuddy has been installed an estimated 140,000 times.

Note

  • You already checked to make sure that you’re running the current version of BackupBuddy (8.7.5) or removed it because it’s no longer needed. It’s OK, I’ll wait. Now, double check your WAF protections for directory traversal and file inclusion rules are in place. Incorporate the IOCs from the Wordfence blog into your IP blocklist. What was that? You don’t have a WAF in front of your WordPress site? The easy button is to pick up one designed for WordPress (like Wordfence), then subscribe to updates for immediate access to protections against current threats. Note you’re going to quickly eclipse that subscription cost cleaning up from one successful exploit.

Read more in

Tags

Tags

    Ads Blocker Image Powered by Code Help Pro

    Ads Blocker Detected!!!

    This site depends on revenue from ad impressions to survive. If you find this site valuable, please consider disabling your ad blocker.