The developer of the BackupBuddy for WordPress has released an updated version of the plugin that fixes an actively exploited directory traversal vulnerability. The flaw allows unauthenticated users to download files from vulnerable sites. The issue affects BackupBuddy versions 18.104.22.168 to 22.214.171.124. iThemes has made BackupBuddy version 8.7.5, available to all site owners “regardless of licensing status.” BackupBuddy has been installed an estimated 140,000 times.
- You already checked to make sure that you’re running the current version of BackupBuddy (8.7.5) or removed it because it’s no longer needed. It’s OK, I’ll wait. Now, double check your WAF protections for directory traversal and file inclusion rules are in place. Incorporate the IOCs from the Wordfence blog into your IP blocklist. What was that? You don’t have a WAF in front of your WordPress site? The easy button is to pick up one designed for WordPress (like Wordfence), then subscribe to updates for immediate access to protections against current threats. Note you’re going to quickly eclipse that subscription cost cleaning up from one successful exploit.