A zero-day flaw in a WordPress plugin called BackupBuddy is being actively exploited, WordPress security company Wordfence has disclosed.
“This vulnerability makes it possible for unauthenticated users to download arbitrary files from the affected site which can include sensitive information,” it said.
The vulnerability affects versions 18.104.22.168 to 22.214.171.124,
The BackupBuddy plugin for WordPress is designed to make back-up management easy for WordPress site owners.
One of the features in the plugin is to store back-up files in multiple different locations, known as Destinations, which include Google Drive, OneDrive, and AWS for example.
There is also the ability to store back-up downloads locally via the ‘Local Directory Copy’ option. Unfortunately,
the method to download these locally stored files was insecurely implemented making it possible for unauthenticated users to download any file stored on the server.
More specifically the plugin registers an admin_init hook for the function intended to download local back-up files and the function itself did not have any capability checks nor any nonce validation.
This means that the function could be triggered via any administrative page, including those that can be called without authentication (admin-post.php), making it possible for unauthenticated users to call the function.
The back-up path is not validated and therefore an arbitrary file could be supplied and subsequently downloaded.
We strongly encourage you to ensure your site has been updated to the latest patched version 8.7.5 which iThemes has made available to all site owners running a vulnerable version regardless of licensing status