The developer of the Backupbuddy for WordPress has released an updated version of the plugin that fixes an actively exploited directory traversal vulnerability. The flaw allows unauthenticated users to download files from vulnerable sites. The issue affects BackupBuddy versions 8.5.8.0 to 8.7.4.1. iThemes has made BackupBuddy version 8.7.5, available to all site owners “regardless of licensing status.” BackupBuddy has been installed an estimated 140,000 times.

Note

• You already checked to make sure that you’re running the current version of BackupBuddy (8.7.5) or removed it because it’s no longer needed. It’s OK, I’ll wait. Now, double check your WAF protections for directory traversal and file inclusion rules are in place. Incorporate the IOCs from the Wordfence blog into your IP blocklist. What was that? You don’t have a WAF in front of your WordPress site? The easy button is to pick up one designed for WordPress (like Wordfence), then subscribe to updates for immediate access to protections against current threats. Note you’re going to quickly eclipse that subscription cost cleaning up from one successful exploit.

Read more in

• Vulnerability in BackupBuddy Plugin Exploited to Hack WordPress Sites
• Attackers Exploit Zero-Day WordPress Plug-in Vulnerability in BackupBuddy
• PSA: Nearly 5 Million Attacks Blocked Targeting 0-Day in BackupBuddy Plugin

The post Zero-Day Vulnerability in Backupbuddy Wordpress Plugin appeared first on PUPUWEB - Information Resource for Emerging Technology Trends and Cybersecurity.