A widely-used WordPress backup plugin, utilized by more than 200,000 websites, recently addressed a critical vulnerability that could expose sites to denial-of-service attacks. Rated as High severity by Wordfence with a score of 7.5/10, users are urged to promptly update their plugin to ensure security.

Backuply Plugin Vulnerability

The vulnerability impacts the Backuply WordPress backup plugin. Backing up data is indispensable for website owners, serving as a safety net in cases of server failures, data loss, or cyberattacks.

Website backups play a pivotal role in various scenarios including site migrations, recovery from hacking incidents, and rectifying failed updates.

Backuply stands out for its ability to create redundant backups by storing data on multiple trusted third-party cloud services, along with supporting various methods for downloading local copies.

According to Backuply:

"Backuply offers both Local Backups and Secure Cloud backups with seamless integrations with FTP, FTPS, SFTP, WebDAV, Google Drive, Microsoft OneDrive, Dropbox, Amazon S3, and effortless one-click restoration."

Vulnerability Overview

The United States Government National Vulnerability Database has issued a warning concerning Backuply versions up to and including 1.2.5, highlighting a vulnerability that could trigger denial-of-service attacks.

The advisory states:

"The vulnerability stems from direct access to the backuply/restore_ins.php file, allowing unauthenticated attackers to send excessive requests, depleting server resources."

Understanding Denial-of-Service (DoS) Attacks

A denial-of-service (DoS) attack occurs when a software flaw permits attackers to inundate a server with rapid requests, causing it to exhaust its resources and become unresponsive. In some cases, attackers may exploit DoS vulnerabilities to execute malicious scripts or code, enabling them to manipulate the server's operations.

Mitigation and Patch

Acknowledging the severity of the issue, Backuply swiftly addressed the vulnerability in version 1.2.6, demonstrating their commitment to transparency and security.

As stated in the Changelog:

"1.2.6 (FEBRUARY 08 2024)
[Security-Fix] Fixed potential log overflow issue. Reported by Villu Orav (WordFence)"

Recommendations for Users

To safeguard their websites against potential security breaches, all Backuply plugin users are strongly advised to update to version 1.2.6 immediately.

Don't leave your website vulnerable – prioritize security by staying updated with the latest patches and enhancements.

Share this post