A widely-used WordPress backup plugin, present on over 200,000 websites, has recently addressed a high severity vulnerability that could result in a denial of service (DoS) attack. Wordfence assigned a CVSS severity level rating of High, with a score of 7.5/10, underscoring the importance for users to update their plugin.
Backuply Plugin
The vulnerability is found in the Backuply WordPress backup plugin. Creating backups is essential for any website, not just those on WordPress. Backups ensure that publishers can revert to a previous version in case of a server failure or data loss.
Website backups are crucial for site migrations, recovering from hacking incidents, and dealing with failed updates that may render a website non-functional. Backuply is particularly beneficial as it backs up data to multiple trusted third-party cloud services and allows multiple methods to download local copies. This redundancy ensures that if a cloud backup is corrupted, the site can be restored from another locally stored backup.
According to Backuply:
“Backuply comes with Local Backups and Secure Cloud backups with easy integrations with FTP, FTPS, SFTP, WebDAV, Google Drive, Microsoft OneDrive, Dropbox, Amazon S3 and easy One-click restoration.”
Vulnerability Affecting Backuply
The United States Government National Vulnerability Database warns that Backuply, up to and including version 1.2.5, contains a flaw that can lead to DoS attacks.
The warning explains:
“This is due to direct access of the backuply/restore_ins.php file. This makes it possible for unauthenticated attackers to make excessive requests that result in the server running out of resources.”
Denial of Service (DoS) Attack
A DoS attack exploits a flaw in software, allowing an attacker to make numerous rapid requests, ultimately depleting the server’s resources. Consequently, the server fails to process further requests, including serving web pages to visitors. DoS attacks can also allow attackers to upload scripts or other code, enabling them to perform a variety of malicious actions.
Vulnerabilities enabling DoS attacks are considered critical, and it is crucial to address them promptly.
Backuply Changelog Documentation
The official Backuply changelog details the updates made to the plugin. A fix for this vulnerability was implemented in version 1.2.6. Backuply’s prompt and transparent response demonstrates their trustworthiness as a developer.
According to the Changelog:
“1.2.6 (FEBRUARY 08 2024)
[Security-Fix] In some cases it was possible to fill up the logs, and this has been fixed. Reported by Villu Orav (WordFence)”
Recommendations
It is strongly recommended that all users of the Backuply plugin update to the latest version immediately to prevent potential security breaches.
For further details, refer to the official description in the National Vulnerability Database under CVE-2024-0842 and the Wordfence vulnerability report for Backuply version 1.2.5 and earlier.
Featured Image by Shutterstock/Doppelganger4
