A serious security flaw discovered in the WordPress backup plugin Backuply left over 200,000 websites vulnerable to cyber attacks, according to researchers.
The affected tool, installed on one-fifth of all WordPress sites worldwide, contains a “high severity” bug that could allow hackers to initiate denial-of-service (DoS) attacks and crash sites by overwhelming servers with traffic.
Backuply creates daily website backups to prevent data loss from crashes, hacks or failed updates. It supports exporting copies locally or to leading cloud drives like Google Drive and Dropbox.
Its wide range of options has made Backuply a popular WordPress staple since launching in 2019. Today, the plugin boasts over 300,000 active installs.
But until recently, a major weakness lurked under the hood.
On February 8th, web security platform WordFence revealed how an authentication flaw allowed anyone to remotely bombard Backuply servers with requests. Causing resource exhaustion and site outages.
“Attackers could effectively hold websites hostage, demanding bitcoin ransoms before restoring access,” explains Ryan Mercer, WordFence cyber threat analyst.
Backuply earned a 7.5 CVSS severity score out of 10 for the critical bug. Prompting the development team to rush out a patch in version 1.2.6.
Sites lacking the vital update remain exposed, warns Mercer. He anticipates cyber criminals will look to exploit Backuply vulnerabilities within days.
“We’ve seen single vulnerabilities actively attacked across 50,000 sites in under 3 days recently,” Mercer revealed. “So owners must act fast because hackers certainly will.”
WordFence applauds Backuply’s transparent handling of the situation upon responsible disclosure. Nevertheless, the frightening scope of this threat cannot be ignored.
Mercer projects collateral damage from potential mass attacks in the tens of millions of dollars. Making further inaction and complacency unacceptable for site owners.
“Events like this underline why software audits and patching is now as vital as backing up content itself when running a modern web business,” Mercer concludes.
Below is the National Vulnerability Database description of the vulnerability:
Paul Balo is the founder of TechBooky and a highly skilled wireless communications professional with a strong background in cloud computing, offering extensive experience in designing, implementing, and managing wireless communication systems.
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behaviour or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
