Malicious actors have been actively exploiting a zero-day vulnerability in the WordPress plugin named BackupBuddy to facilitate arbitrary file downloads, The Hacker News reports.
Nearly five million attacks targeting the flaw, tracked as CVE-2022-31474, have already been blocked since the targeting began on Aug. 26, with most attacks originating from the IP address 18.104.22.168, according to a report from Cofense. Such a vulnerability has stemmed from a "Local Directory Copy" feature impacting versions 22.214.171.124 to 126.96.36.199 of BackupBuddy and has since been fixed in version 8.7.5.
"This vulnerability could allow an attacker to view the contents of any file on your server that can be read by your WordPress installation. This could include the WordPress wp-config.php file and, depending on your server setup, sensitive files like /etc/passwd," said BackupBuddy plugin developer iThemes.
Cofense researchers noted that most of the attacks sought to read the /etc/passwd, /wp-config.php, .accesshash, and .my.cnf files.