A popular WordPress backup plugin installed in over 200,000 websites recently patched a high severity vulnerability that could lead to a denial of service attack. Wordfence assigned a CVSS severity level rating of High, with a score of 7.5/10, indicating that plugin users should take note and update their plugin.
Backuply Plugin
The vulnerability affects the Backuply WordPress backup plugin. Creating backups is a necessary function for every website, not just WordPress sites, because backups help publishers roll back to a previous version should the server fail and lose data in a catastrophic failure.
Website backups are invaluable for site migrations, hacking recovery and failed updates that render a website non-functional.
Backuply is an especially useful plugin because it backup data to multiple trusted third party cloud services and supports multiple ways to download local copies in order to create redundant backups so that if a cloud backup is bad the site can be recovered from another backup stored locally.
According to Backuply:
“Backuply comes with Local Backups and Secure Cloud backups with easy integrations with FTP, FTPS, SFTP, WebDAV, Google Drive, Microsoft OneDrive, Dropbox, Amazon S3 and easy One-click restoration.”
Vulnerability Affecting Backuply
The United States Government National Vulnerability Database warns that Backuply up to and including version 1.2.5 contains a flaw that can lead to denial of service attacks.
The warning explains:
“This is due to direct access of the backuply/restore_ins.php file and. This makes it possible for unauthenticated attackers to make excessive requests that result in the server running out of resources.”
Denial Of Service (DoS) Attack
A denial of service (DoS) attack is one in which a flaw in a software allows an attacker to make so many rapid requests that the server runs out of resources and can no longer process any further requests, including serving webpages to site visitors.
A feature of DoS attacks is that it is sometimes possible to upload scripts, HTML or other code that can then be executed, allowing the attacker to perform virtually any action.
Vulnerabilities that enable DoS attacks are considered critical, and steps to mitigate them should be taken as soon as possible.
Backuply Changelog Documentation
The official Backuply changelog, which announces the details of every update, notes that a fix was implemented in version of 1.2.6. Backuply’s transparency and rapid response is responsible and a sign of a trustworthy developer.
According to the Changelog:
“1.2.6 (FEBRUARY 08 2024)
[Security-Fix] In some cases it was possible to fill up the logs and has been fixed. Reported by Villu Orav (WordFence)”
Recommendations
In general it is highly recommended that all users of the Backuply plugin update their plugin as soon as possible in order to prevent an unwanted security event.
Read the National Vulnrability Database description of the vulnerability:
Read the Wordfence Backuply vulnerability report:
Backuply – Backup, Restore, Migrate and Clone <= 1.2.5 – Denial of Service
Featured Image by Shutterstock/Doppelganger4
