CVE-2022-31474
published 2023-03-13CVE-2022-31474: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in iThemes BackupBuddy allows Path Traversal.This issue affects…
PriorityP183high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
63.76%
99.1th percentile
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in iThemes BackupBuddy allows Path Traversal.This issue affects BackupBuddy: from 8.5.8.0 through 8.7.4.1.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ithemes | backupbuddy | >= 8.5.8.0 < 8.7.5.0 | 8.7.5.0 |
| ithemes | backupbuddy | 8.5.8.0 – 8.7.4.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/wp-admin/admin-post.php?page=pb_backupbuddy_destinations&local-destination-id=/etc/passwd&local-download=/etc/passwd
path/wp-admin/admin-post.php
- →Exploit targets the 'local-destination-id' and 'local-download' GET parameters on the admin-post.php endpoint with the page value 'pb_backupbuddy_destinations'. Requests are unauthenticated and attempt to read arbitrary files (e.g. /etc/passwd) from the server.
- →Monitor HTTP GET requests to /wp-admin/admin-post.php containing both 'local-destination-id' and 'local-download' query parameters, especially with path traversal strings (e.g. /etc/passwd, ../../).
- →Check Point IPS signature name for this CVE is 'WordPress BackupBuddy Plugin Arbitrary File Read (CVE-2022-31474)', which can be used as a reference for IPS/WAF rule naming. ↗
- →Exploitation was observed at scale — approximately 5 million attack attempts were blocked in the wild, indicating widespread automated scanning. Prioritize detection on internet-facing WordPress installations running BackupBuddy 8.5.8.0 through 8.7.4.1. ↗
- ·The vulnerable parameter names in the Nuclei template are 'local-destination-id' and 'local-download', but the plugin's own advisory refers to them as 'download' and 'local-destination-id'. Ensure detection rules cover both parameter name variants.
- ·The vulnerability is unauthenticated (PR:N, UI:N per CVSS), meaning no WordPress login session is required. Detection rules should not filter out unauthenticated requests to the admin-post.php endpoint for this specific page parameter.
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mvpf-v9m4-52gp: Directory Traversal vulnerability in iThemes BackupBuddy plugin 8
ghsa_unreviewed·2023-03-13
CVE-2022-31474 [HIGH] CWE-22 GHSA-mvpf-v9m4-52gp: Directory Traversal vulnerability in iThemes BackupBuddy plugin 8
Directory Traversal vulnerability in iThemes BackupBuddy plugin 8.5.8.0 - 8.7.4.1 versions.
VulnCheck
ithemes backupbuddy Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2022·CVSS 7.5
CVE-2022-31474 [HIGH] ithemes backupbuddy Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
ithemes backupbuddy Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in iThemes BackupBuddy allows Path Traversal.This issue affects BackupBuddy: from 8.5.8.0 through 8.7.4.1.
Affected: ithemes backupbuddy
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://web.archive.org/web/20230318134256/https://unit42.paloaltonetworks.com/network-security-trends-aug-oct-2022/; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-22&host_type=src&vulnerability=cve-2022-31474; https://dashboard.shadowserver.org/
No detection rules found.
Nuclei
BackupBuddy - Local File Inclusion
nuclei·CVSS 7.5
CVE-2022-31474 [HIGH] BackupBuddy - Local File Inclusion
BackupBuddy - Local File Inclusion
BackupBuddy versions 8.5.8.0 - 8.7.4.1 are vulnerable to a local file inclusion vulnerability via the 'download' and 'local-destination-id' parameters.
Template:
id: CVE-2022-31474
info:
name: BackupBuddy - Local File Inclusion
author: aringo
severity: high
description: BackupBuddy versions 8.5.8.0 - 8.7.4.1 are vulnerable to a local file inclusion vulnerability via the 'download' and 'local-destination-id' parameters.
impact: |
An attacker can exploit this vulnerability to gain unauthorized access to sensitive information stored on the server.
remediation: Upgrade to at least version 8.7.5 or higher
reference:
- https://www.wordfence.com/blog/2022/09/psa-nearly-5-million-attacks-blocked-targeting-0-day-in-backupbuddy-plugin/
- https://ithemes.com/blo
Checkpoint
12th September – Threat Intelligence Report
blogs_checkpoint·2022-09-12·CVSS 10.0
CVE-2021-44228 [CRITICAL] 12th September – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 12th September – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 12th September, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Check Point Research uncovered a malicious campaign dubbed “DangerousSavanna” targeting multiple major financial groups in French-speaking Africa for the past two years. Threat actors used spear-phishing as the initial infection method, sending malicious attachments by emails to financial services employees in Ivory C
Greynoiseio
NoiseLetter October 2025
blogs_greynoiseio
NoiseLetter October 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://ithemes.com/blog/wordpress-vulnerability-report-special-edition-september-6-2022-backupbuddy/https://patchstack.com/database/vulnerability/backupbuddy/wordpress-backup-buddy-plugin-8-5-8-0-8-7-4-1-unauthenticated-path-traversal-arbitrary-file-download-vulnerability?_s_id=cvehttps://ithemes.com/blog/wordpress-vulnerability-report-special-edition-september-6-2022-backupbuddy/https://patchstack.com/database/vulnerability/backupbuddy/wordpress-backup-buddy-plugin-8-5-8-0-8-7-4-1-unauthenticated-path-traversal-arbitrary-file-download-vulnerability?_s_id=cve
2023-03-13
Published
Exploited in the wild