Authenticated (subscriber+) Plugin Setting change vulnerability in WP Shamsi plugin <= 4.1.1 at WordPress.

CVE-2022-38058

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in All in One SEO plugin <= 4.2.3.1 at WordPress.

**Solution**

Update the WordPress All In One SEO Pack plugin to the latest available version (at least 4.2.4).

Rafie Muhammad (Patchstack) discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress All In One SEO Pack Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. For example a password change which will then allow the malicious actor to login into the admin account. This vulnerability has been fixed in version 4.2.4.

**11 other known vulnerabilities for this plugin**To plugin page

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2022-38093: WordPress All in One SEO plugin <= 4.2.3.1 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities - Patchstack

CVE-2022-38093: All in One SEO – Best WordPress SEO Plugin – Easily Improve SEO Rankings & Increase Traffic

A zero-day flaw in a WordPress plugin called BackupBuddy is being actively exploited, WordPress security company Wordfence has disclosed.
"This vulnerability makes it possible for unauthenticated users to download arbitrary files from the affected site which can include sensitive information," it said.
BackupBuddy allows users to back up their entire WordPress installation from within the

A zero-day flaw in a WordPress plugin called BackupBuddy is being actively exploited, WordPress security company Wordfence has disclosed.

"This vulnerability makes it possible for unauthenticated users to download arbitrary files from the affected site which can include sensitive information," it said.

BackupBuddy allows users to back up their entire WordPress installation from within the dashboard, including theme files, pages, posts, widgets, users, and media files, among others.

The plugin is estimated to have around 140,000 active installations, with the flaw (CVE-2022-31474, CVSS score: 7.5) affecting versions 8.5.8.0 to 8.7.4.1. It's been addressed in version 8.7.5 released on September 2, 2022.

The issue is rooted in the function called "Local Directory Copy" that's designed to store a local copy of the backups. According to Wordfence, the vulnerability is the result of the insecure implementation, which enables an unauthenticated threat actor to download any arbitrary file on the server.

Additional details about the flaw have been withheld in light of active in-the-wild abuse and its ease of exploitation.

"This vulnerability could allow an attacker to view the contents of any file on your server that can be read by your WordPress installation," the plugin's developer, iThemes, said. "This could include the WordPress wp-config.php file and, depending on your server setup, sensitive files like /etc/passwd."

Wordfence noted that the targeting of CVE-2022-31474 commenced on August 26, 2022, and that it has blocked nearly five million attacks in the intervening time period. Most of the intrusions have attempted to read the below files -

*   /etc/passwd
*   /wp-config.php
*   .my.cnf
*   .accesshash

Users of the BackupBuddy plugin are advised to upgrade to the latest version. Should users determine that they may have been compromised, it's recommended to reset the database password, change WordPress Salts, and rotate API keys stored in wp-config.php.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Exploit Zero-Day in WordPress BackupBuddy Plugin in ~5 Million Attempts

Site backup plugin developer issues patch following reports of millions of exploit attempts

Adam Bannister 08 September 2022 at 13:57 UTC  
Updated: 08 September 2022 at 16:32 UTC

Site backup plugin developer issues patch following reports of millions of exploit attempts

UPDATED WordPress websites running BackupBuddy have been urged to update the plugin amid reports of active exploitation of a high severity arbitrary file download/read vulnerability.

BackupBuddy, which is used to backup WordPress sites, and has around 140,000 active installations.

WordPress security firm Wordfence has revealed that its firewall has blocked more than 4.9 million exploit attempts related to the flaw since abuse was first detected on August 26.

The issue – tracked as CVE-2022-31474 with a CVSS score of 7.5 – enables unauthenticated attackers to download sensitive files from vulnerable sites.

Read more of the latest WordPress security news

A majority of observed attacks apparently attempted to read /etc/passwd, /wp-config.php, .my.cnf, or .accesshash files, which could be leveraged to further compromise victims, said Wordfence.

The vulnerability affects versions between 8.5.8.0 and 8.7.4.1, and was patched in version 8.7.5. 

iThemes, the plugin developer, told The Daily Swig that the bug was patched on September 2, not on September 6 as Wordfence (and therefore this article too) initially stated, within hours of being “notified of suspicious activity related to a BackupBuddy installation”.

It continued: “We have made this security update available to all vulnerable BackupBuddy versions (8.5.8 – 8.7.4.1), regardless of licensing status, so no one continues to run a vulnerable version of the BackupBuddy plugin.

“We recommend that customers follow the steps outlined in the disclosure post to detect if their site was attacked. Our support team is standing by to help if anyone needs help or assistance from the iThemes Help Desk.”

**Local root cause**

The vulnerability arose from an insecure implementation of the mechanism used to download locally stored files, meaning unauthenticated attackers could download any file stored on the server.

“More specifically the plugin registers an hook for the function intended to download local back-up files and the function itself did not have any capability checks nor any nonce validation,” according to a Wordfence blog post published on September 6.

“This means that the function could be triggered via any administrative page, including those that can be called without authentication (), making it possible for unauthenticated users to call the function. The back-up path is not validated and therefore an arbitrary file could be supplied and subsequently downloaded.”

Sysadmins can find signs of exploitation by “checking for the ‘’ and/or the ‘’ parameter value when reviewing requests in your access logs,” said Wordfence.

“Presence of these parameters along with a full path to a file or the presence of to a file indicates the site may have been targeted for exploitation by this vulnerability. If the site is compromised, this can suggest that the BackupBuddy plugin was likely the source of compromise.”

iThemes concluded: “This incident, like many others experienced by other vendors in the past, underscores how security-aware WordPress users have become. WordPress as a whole has become a much more secure platform thanks to the commitment of vendors, users, and security researchers to make security easier for everyone, and iThemes is proud to be an integral part of that.”

This article was updated on September 8 with comment from iThemes

YOU MIGHT ALSO LIKE A rough guide to launching a career in cybersecurity

WordPress warning: 140k BackupBuddy installations on alert over file-read exploitation

WordPress BackupBuddy plugin versions 8.5.8.0 through 8.7.4.1 suffer from an arbitrary file read and download vulnerability.

    Description: Arbitrary File Download/ReadAffected Plugin: BackupBuddyPlugin Slug: backupbuddyPlugin Developer: iThemesAffected Versions: 8.5.8.0 – 8.7.4.1CVE ID: CVE-2022-31474CVSS Score: 7.5 (High)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NFully Patched Version: 8.7.5The BackupBuddy plugin for WordPress is designed to make back-up management easy for WordPress site owners. One of the features in the plugin is to store back-up files in multiple different locations, known as Destinations, which includes Google Drive, OneDrive, and AWS just to name a few. There is also the ability to store back-up downloads locally via the ‘Local Directory Copy’ option. Unfortunately, the method to download these locally stored files was insecurely implemented making it possible for unauthenticated users to download any file stored on the server.More specifically the plugin registers an admin_init hook for the function intended to download local back-up files and the function itself did not have any capability checks nor any nonce validation. This means that the function could be triggered via any administrative page, including those that can be called without authentication (admin-post.php), making it possible for unauthenticated users to call the function. The back-up path is not validated and therefore an arbitrary file could be supplied and subsequently downloaded.Due to this vulnerability being actively exploited, and its ease of exploitation, we are sharing minimal details about this vulnerability.Indicators of CompromiseThe Wordfence firewall has blocked over 4.9 million exploit attempts targeting this vulnerability since August 26, 2022, which is the first indication we have that this vulnerability was being exploited. We are seeing attackers attempting to retrieve sensitive files such as the /wp-config.php and /etc/passwd file which can be used to further compromise a victim.The top 10 Attacking IP Addresses are as follows:- 195.178.120.89 with 1,960,065 attacks blocked- 51.142.90.255 with 482,604 attacks blocked- 51.142.185.212 with 366770 attacks blocked- 52.229.102.181 with 344604 attacks blocked- 20.10.168.93 with 341,309 attacks blocked- 20.91.192.253 with 320,187 attacks blocked- 23.100.57.101 with 303,844 attacks blocked- 20.38.8.68 with 302,136 attacks blocked- 20.229.10.195 with 277,545 attacks blocked- 20.108.248.76 with 211,924 attacks blockedA majority of the attacks we have observed are attempting to read the following files:- /etc/passwd- /wp-config.php- .my.cnf- .accesshashWe recommend checking for the ‘local-download’ and/or the ‘local-destination-id’ parameter value when reviewing requests in your access logs. Presence of these parameters along with a full path to a file or the presence of ../../ to a file indicates the site may have been targeted for exploitation by this vulnerability. If the site is compromised, this can suggest that the BackupBuddy plugin was likely the source of compromise.ConclusionIn today’s post, we detailed a zero-day vulnerability being actively exploited in the BackupBuddy plugin that makes it possible for unauthenticated attackers to steal sensitive files from an affected site and use the information obtained in those files to further infect a victim. This vulnerability was patched yesterday and we strongly recommend updating to the latest version of the plugin, currently version 8.7.5, right now since this is an actively exploited vulnerability.All Wordfence customers, including Wordfence Premium, Wordfence Care, Wordfence Response, and Wordfence Free users, have been, and will continue to be, protected against any attackers trying to exploit this vulnerability due to the Wordfence firewall’s built-in directory traversal and file inclusion firewall rules.If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected, as this is a serious vulnerability that is actively being exploited in the wild.We will continue to monitor the situation and follow up as more information becomes available.

WordPress BackupBuddy 8.7.4.1 Arbitrary File Read

Broken Access Control vulnerability in Alessio Caiazza's About Me plugin <= 1.0.12 at WordPress.

*   Details
*   Reviews
*   Support
*   Development

**Description**

This plugin has been closed as of August 24, 2022 and is not available for download. This closure is temporary, pending a full review.

**Reviews**

There are no reviews for this plugin.

**Contributors & Developers**

“About Me” is open source software. The following people have contributed to this plugin.

Contributors

*    nolith

CVE-2022-36387: About Me

Missing Access Control vulnerability in PHP Crafts Accommodation System plugin <= 1.0.1 at WordPress.

CVE-2022-37344

Missing Access Control vulnerability in About Rentals. Inc. About Rentals plugin <= 1.5 at WordPress.

CVE-2022-36427

The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter on the joomsport-page-extrafields page in versions up to, and including, 5.2.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrative privileges, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

**Legend:**

Unmodified

Added

Removed

*   **joomsport-sports-league-results-management/trunk/includes/moderator/joomsport-moder-mday.php**
    
    r2517792
    
    r2767877
    
     
    
    56
    
    56
    
    57
    
    57
    
            if ( ! empty( $\_REQUEST\['orderby'\] ) ) {
    
    58
    
     
    
              $sql .= ' ORDER BY ' . esc\_sql( $\_REQUEST\['orderby'\] );
    
    59
    
     
    
              $sql .= ! empty( $\_REQUEST\['order'\] ) ? ' ' . esc\_sql( $\_REQUEST\['order'\] ) : ' ASC';
    
     
    
    58
    
                $sql .= ' ORDER BY ' . sanitize\_sql\_orderby( "{$\_REQUEST\['orderby'\]} {$\_REQUEST\['order'\]}" );
    
     
    
    59
    
    60
    
    60
    
            }
    
    61
    
    61
    
            if(!$season\_id){
    
*   **joomsport-sports-league-results-management/trunk/includes/pages/joomsport-page-events.php**
    
    r2679820
    
    r2767877
    
     
    
    34
    
    34
    
    35
    
    35
    
            if ( ! empty( $\_REQUEST\['orderby'\] ) ) {
    
    36
    
     
    
              $sql .= ' ORDER BY ' . esc\_sql( $\_REQUEST\['orderby'\] );
    
    37
    
     
    
              $sql .= ! empty( $\_REQUEST\['order'\] ) ? ' ' . esc\_sql( $\_REQUEST\['order'\] ) : ' ASC';
    
     
    
    36
    
              //$sql .= ' ORDER BY ' . esc\_sql( $\_REQUEST\['orderby'\] );
    
     
    
    37
    
              //$sql .= ! empty( $\_REQUEST\['order'\] ) ? ' ' . esc\_sql( $\_REQUEST\['order'\] ) : ' ASC';
    
     
    
    38
    
              $sql .= ' ORDER BY ' . sanitize\_sql\_orderby( "{$\_REQUEST\['orderby'\]} {$\_REQUEST\['order'\]}" );
    
    38
    
    39
    
            }else{
    
    39
    
    40
    
                $sql .= ' ORDER BY ordering';
    
    …
    
    …
    
     
    
    44
    
    45
    
            $sql .= ' OFFSET ' . ( $page\_number - 1 ) \* $per\_page;
    
    45
    
    46
    
    46
    
     
    
     
    
    47
    
    //echo $sql;die();
    
    47
    
    48
    
            $result = $wpdb->get\_results( $sql, 'ARRAY\_A' );
    
    48
    
    49
    
    …
    
    …
    
     
    
    113
    
    114
    
        public function get\_sortable\_columns() {
    
    114
    
    115
    
            $sortable\_columns = array(
    
    115
    
     
    
              'name' => array( 'name', true ),
    
     
    
    116
    
              'name' => array( 'e\_name', true ),
    
    116
    
    117
    
                'player\_event' => array( 'player\_event', true ),
    
    117
    
    118
    
            );
    
*   **joomsport-sports-league-results-management/trunk/includes/pages/joomsport-page-extrafields.php**
    
    r2540219
    
    r2767877
    
     
    
    31
    
    31
    
    32
    
    32
    
            if ( ! empty( $\_REQUEST\['orderby'\] ) ) {
    
    33
    
     
    
              $sql .= ' ORDER BY ' . esc\_sql( $\_REQUEST\['orderby'\] );
    
    34
    
     
    
              $sql .= ! empty( $\_REQUEST\['order'\] ) ? ' ' . esc\_sql( $\_REQUEST\['order'\] ) : ' ASC';
    
     
    
    33
    
                $sql .= ' ORDER BY ' . sanitize\_sql\_orderby( "{$\_REQUEST\['orderby'\]} {$\_REQUEST\['order'\]}" );
    
     
    
    34
    
    35
    
    35
    
            }
    
    36
    
    36
    
*   **joomsport-sports-league-results-management/trunk/includes/pages/joomsport-page-stages.php**
    
    r2540219
    
    r2767877
    
     
    
    31
    
    31
    
    32
    
    32
    
            if ( ! empty( $\_REQUEST\['orderby'\] ) ) {
    
    33
    
     
    
              $sql .= ' ORDER BY ' . esc\_sql( $\_REQUEST\['orderby'\] );
    
    34
    
     
    
              $sql .= ! empty( $\_REQUEST\['order'\] ) ? ' ' . esc\_sql( $\_REQUEST\['order'\] ) : ' ASC';
    
     
    
    33
    
              $sql .= ' ORDER BY ' . sanitize\_sql\_orderby( "{$\_REQUEST\['orderby'\]} {$\_REQUEST\['order'\]}" );
    
     
    
    34
    
    35
    
    35
    
            }
    
    36
    
    36
    
    …
    
    …
    
     
    
    92
    
    92
    
        public function get\_sortable\_columns() {
    
    93
    
    93
    
            $sortable\_columns = array(
    
    94
    
     
    
              'name' => array( 'name', true )
    
     
    
    94
    
              'name' => array( 'm\_name', true )
    
    95
    
    95
    
            );
    
    96
    
    96
    
*   **joomsport-sports-league-results-management/trunk/joomsport.php**
    
    r2761633
    
    r2767877
    
     
    
    4
    
    4
    
    Plugin URI: http://joomsport.com
    
    5
    
    5
    
    Description: Sport league plugin
    
    6
    
     
    
    Version: 5.2.5
    
     
    
    6
    
    Version: 5.2.6
    
    7
    
    7
    
    Author: BearDev
    
    8
    
    8
    
    Author URI: http://BearDev.com
    
*   **joomsport-sports-league-results-management/trunk/readme.txt**
    
    r2761633
    
    r2767877
    
     
    
    125
    
    125
    
    \== Changelog ==
    
    126
    
    126
    
     
    
    127
    
    \= 5.2.6 =
    
     
    
    128
    
    \* Vulnerabilities found. Critical fixes delivered!
    
     
    
    129
    
    127
    
    130
    
    \= 5.2.5 =
    
    128
    
    131
    
    \* Minor fixes (paging in matches tab, warnings, notices, etc.)
    
*   **joomsport-sports-league-results-management/trunk/sportleague/classes/objects/class-jsport-player.php**
    
    r2444527
    
    r2767877
    
     
    
    175
    
    175
    
                $tabs\[$intA\]\['body'\] = '';
    
    176
    
    176
    
                $this->lists\['pagination'\] = $this->lists\['match\_pagination'\];
    
    177
    
     
    
                $tabs\[$intA\]\['text'\] = jsHelper::getMatches($this->lists\['matches'\], $this->lists);
    
     
    
    177
    
                $tabs\[$intA\]\['text'\] = '<form>'.jsHelper::getMatches($this->lists\['matches'\], $this->lists, false).'<input type="hidden" name="jscurtab" value="stab\_matches" /><input type="hidden" name="sid" value="'.esc\_attr($this->season\_id).'" /></form>';
    
    178
    
    178
    
                $tabs\[$intA\]\['class'\] = '';
    
    179
    
    179
    
                $tabs\[$intA\]\['ico'\] = 'js-match';
    

**Note:** See TracChangeset for help on using the changeset viewer.

Tag

#wordpress