Login

Tag Archives: BackupBuddy

13 Sep 2022

Only Six WordPress Security Plugins Protected Against Exploitation of Zero-Day Vulnerability in BackupBuddy

Last week the developer of one of the most popular WordPress security plugins, iThemes Security, disclosed that another of their plugins, BackupBuddy, had recently had a zero-day vulnerability. That is a vulnerability being exploited by a hacker before the developer is aware of it. One of the implications of that is that keeping a website’s plugins up to date won’t always protect websites from being hacked through vulnerabilities in them. So this is the type of situation where a security plugin, like iThemes Security, could provide protection beyond keeping plugins up to date. If any security plugins should be able to do that, it should be iThemes Security if you believe their marketing, as they claim it is the best:

The Best WordPress Security Plugin to Secure & Protect WordPress [Read more]

8 Sep 2022

Here Is the Incredibly Insecure Exploited Code in a Plugin From the Developer of iThemes Security

Two days ago the developer of the iThemes Security plugin, which is one of the most popular WordPress security plugins, disclosed that another of their plugins, BackupBuddy, had a zero-day vulnerability. A zero-day vulnerability is one that is being exploited before the developer is aware of it. That seems like a big story, but when the vulnerability was covered by the WP Tavern, there was no mention of iThemes Security or question raised about what that says about the state of WordPress security plugins.

iThemes’ post also makes this strange claim: [Read more]

8 Sep 2017

Cross-Site Request Forgery (CSRF)/PHP Object Injection Vulnerability in BackupBuddy

Back in June we introduced a new feature to the service where we are proactively monitor changes made to plugins to try to catch serious vulnerabilities in plugins. To do that we first identify possible vulnerable code running a series of regular expressions over the changes being made to plugins in the Plugin Directory and then we manually check over any results that we haven’t previously reviewed. We recently have been seeing if doing that with the plugins installed in websites that we are doing hack cleanups of would be useful. Through that we found a cross-site request forgery (CSRF)/PHP object injection vulnerability in BackupBuddy, which is exploitable in multisite based WordPress installs.

The plugin features a beta multisite feature, which currently can be turned on by adding a line to the WordPress configuration file: [Read more]