A popular WordPress backup plugin installed on more than 200,000 websites recently patched a high-severity vulnerability that could lead to a denial-of-service attack. Wordfence assigned a CVSS severity level score of High, with a score of 7.5/10, indicating that plugin users should take note and update their plugin.
Backup plugin
The vulnerability affects the WordPress backup plugin Backuply. Creating backups is a necessary feature for all websites, not just WordPress sites, because backups help publishers roll back to an earlier version if the server goes down and loses data in a catastrophic failure .
Website backups are invaluable for site migrations, hack recovery, and failed updates that render a website non-functional.
Backup is a particularly useful plugin because it backs up data to multiple trusted third-party cloud services and supports multiple ways to offload local copies to create redundant backups so that if a cloud backup is bad, the site can be recovered from another locally stored backup.
In accordance with Backup:
“Backup includes local backups and secure cloud backups with easy integrations with FTP, FTPS, SFTP, WebDAV, Google Drive, Microsoft OneDrive, Dropbox, Amazon S3 and easy one-click restore.”
Vulnerability affecting backup
US Government National Vulnerability Database warn that the backup up to and including version 1.2.5 contains a flaw that can lead to denial of service attacks.
The notice explains:
“This is due to direct access to the backuply/restore_ins.php file and. This makes it possible for unauthenticated attackers to make excessive requests that cause the server to run out of resources.”
Denial of Service (DoS) attack.
A denial-of-service (DoS) attack is one in which a flaw in software allows an attacker to make so many rapid requests that the server runs out of resources and can no longer process any additional requests, including posting web pages to site visitors.
A characteristic of DoS attacks is that it is sometimes possible to upload scripts, HTML, or other code that can then be executed, allowing the attacker to perform virtually any action.
Vulnerabilities that allow DoS attacks are considered critical and steps should be taken to mitigate them as soon as possible.
Backup of change log documentation
The official Backuply changelog, which announces the details of each update, notes that a fix was implemented in version 1.2.6. Backuply’s transparency and quick response are responsible and a sign of a trustworthy developer.
According to the Change log:
“1.2.6 (FEBRUARY 08, 2024)
[Security-Fix] In some cases it was possible to fill the logs and this has been fixed. Reported by Villu Orav (WordFence)”
Recommendations
In general, it is highly recommended that all Backuply plugin users update their plugin as soon as possible in order to avoid an unwanted security event.
Read the vulnerability description from the National Vulnrability Database:
Read the Wordfence Backuply Vulnerability Report:
Backup – Backup, Restore, Migrate and Clone <= 1.2.5 - Denial of Service
Featured image by Shutterstock/Doppelganger4
[ad_2]
Source link
