Ithemes · Ithemes Backupbuddy · CVE-2022-31474
**Name of the Vulnerable Software and Affected Versions**
iThemes BackupBuddy versions 8.5.8.0 through 8.7.4.1
**Description**
The issue affects the iThemes BackupBuddy plugin, allowing unauthorized users to upload arbitrary files from a vulnerable site, potentially containing confidential information. This is due to a Path Traversal vulnerability, also known as Improper Limitation of a Pathname to a Restricted Directory. Approximately 5 million attempts to exploit this vulnerability have been detected, targeting the BackupBuddy plugin, which has around 140,000 active installations.
**Recommendations**
For iThemes BackupBuddy versions 8.5.8.0 through 8.7.4.1, update to version 8.7.5 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive files and directories on the server to minimize the risk of exploitation.