cbcvebase.
CVE-2022-31474
published 2023-03-13

CVE-2022-31474: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in iThemes BackupBuddy allows Path Traversal.This issue affects…

PriorityP183high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
63.76%
99.1th percentile
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in iThemes BackupBuddy allows Path Traversal.This issue affects BackupBuddy: from 8.5.8.0 through 8.7.4.1.

Affected

2 ranges
VendorProductVersion rangeFixed in
ithemesbackupbuddy>= 8.5.8.0 < 8.7.5.08.7.5.0
ithemesbackupbuddy8.5.8.0 – 8.7.4.1

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-post.php?page=pb_backupbuddy_destinations&local-destination-id=/etc/passwd&local-download=/etc/passwd
path/wp-admin/admin-post.php
  • Exploit targets the 'local-destination-id' and 'local-download' GET parameters on the admin-post.php endpoint with the page value 'pb_backupbuddy_destinations'. Requests are unauthenticated and attempt to read arbitrary files (e.g. /etc/passwd) from the server.
  • Monitor HTTP GET requests to /wp-admin/admin-post.php containing both 'local-destination-id' and 'local-download' query parameters, especially with path traversal strings (e.g. /etc/passwd, ../../).
  • Check Point IPS signature name for this CVE is 'WordPress BackupBuddy Plugin Arbitrary File Read (CVE-2022-31474)', which can be used as a reference for IPS/WAF rule naming.
  • Exploitation was observed at scale — approximately 5 million attack attempts were blocked in the wild, indicating widespread automated scanning. Prioritize detection on internet-facing WordPress installations running BackupBuddy 8.5.8.0 through 8.7.4.1.
  • ·The vulnerable parameter names in the Nuclei template are 'local-destination-id' and 'local-download', but the plugin's own advisory refers to them as 'download' and 'local-destination-id'. Ensure detection rules cover both parameter name variants.
  • ·The vulnerability is unauthenticated (PR:N, UI:N per CVSS), meaning no WordPress login session is required. Detection rules should not filter out unauthenticated requests to the admin-post.php endpoint for this specific page parameter.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.