A serious security flaw discovered in the WordPress backup plugin Backuply left over 200,000 websites vulnerable to cyber attacks, according to researchers.
The affected tool, installed on one-fifth of all WordPress sites worldwide, contains a “high severity” bug that could allow hackers to initiate denial-of-service (DoS) attacks and crash sites by overwhelming servers with traffic.
Backuply creates daily website backups to prevent data loss from crashes, hacks or failed updates. It supports exporting copies locally or to leading cloud drives like Google Drive and Dropbox.
Its wide range of options has made Backuply a popular WordPress staple since launching in 2019. Today, the plugin boasts over 300,000 active installs.
But until recently, a major weakness lurked under the hood.
On February 8th, web security platform WordFence revealed how an authentication flaw allowed anyone to remotely bombard Backuply servers with requests. Causing resource exhaustion and site outages.
“Attackers could effectively hold websites hostage, demanding bitcoin ransoms before restoring access,” explains Ryan Mercer, WordFence cyber threat analyst.
Backuply earned a 7.5 CVSS severity score out of 10 for the critical bug. Prompting the development team to rush out a patch in version 1.2.6.
Sites lacking the vital update remain exposed, warns Mercer. He anticipates cyber criminals will look to exploit Backuply vulnerabilities within days.
“We’ve seen single vulnerabilities actively attacked across 50,000 sites in under 3 days recently,” Mercer revealed. “So owners must act fast because hackers certainly will.”
WordFence applauds Backuply’s transparent handling of the situation upon responsible disclosure. Nevertheless, the frightening scope of this threat cannot be ignored.
Mercer projects collateral damage from potential mass attacks in the tens of millions of dollars. Making further inaction and complacency unacceptable for site owners.
“Events like this underline why software audits and patching is now as vital as backing up content itself when running a modern web business,” Mercer concludes.
Below is the National Vulnerability Database description of the vulnerability:
In addition to the NVD report above, read the Wordfence Backuply vulnerability report:
Backuply – Backup, Restore, Migrate and Clone <= 1.2.5 – Denial of Service
Discover more from TechBooky
Subscribe to get the latest posts sent to your email.