A serious security flaw discovered in the WordPress backup plugin Backuply left over 200,000 websites vulnerable to cyber attacks, according to researchers.
The affected tool, installed on one-fifth of all WordPress sites worldwide, contains a “high severity” bug that could allow hackers to initiate denial-of-service (DoS) attacks and crash sites by overwhelming servers with traffic.
Backuply creates daily website backups to prevent data loss from crashes, hacks or failed updates. It supports exporting copies locally or to leading cloud drives like Google Drive and Dropbox.
Its wide range of options has made Backuply a popular WordPress staple since launching in 2019. Today, the plugin boasts over 300,000 active installs.
But until recently, a major weakness lurked under the hood.
On February 8th, web security platform WordFence revealed how an authentication flaw allowed anyone to remotely bombard Backuply servers with requests. Causing resource exhaustion and site outages.
“Attackers could effectively hold websites hostage, demanding bitcoin ransoms before restoring access,” explains Ryan Mercer, WordFence cyber threat analyst.
Backuply earned a 7.5 CVSS severity score out of 10 for the critical bug. Prompting the development team to rush out a patch in version 1.2.6.
Sites lacking the vital update remain exposed, warns Mercer. He anticipates cyber criminals will look to exploit Backuply vulnerabilities within days.
“We’ve seen single vulnerabilities actively attacked across 50,000 sites in under 3 days recently,” Mercer revealed. “So owners must act fast because hackers certainly will.”
WordFence applauds Backuply’s transparent handling of the situation upon responsible disclosure. Nevertheless, the frightening scope of this threat cannot be ignored.
Mercer projects collateral damage from potential mass attacks in the tens of millions of dollars. Making further inaction and complacency unacceptable for site owners.
“Events like this underline why software audits and patching is now as vital as backing up content itself when running a modern web business,” Mercer concludes.
Below is the National Vulnerability Database description of the vulnerability:
Paul Balo is the founder of TechBooky and a highly skilled wireless communications professional with a strong background in cloud computing, offering extensive experience in designing, implementing, and managing wireless communication systems.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
