CVE-2022-31474
Published: 13 March 2023
Summary
CVE-2022-31474 is a high-severity Path Traversal (CWE-22) vulnerability in Ithemes Backupbuddy. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2022-31474 is a path traversal vulnerability, tracked as CWE-22, that affects the iThemes BackupBuddy WordPress plugin in versions 8.5.8.0 through 8.7.4.1. The flaw permits improper limitation of pathnames to restricted directories and carries a CVSS 3.1 score of 7.5 reflecting network attack vector, low complexity, and no required privileges or user interaction, resulting in high confidentiality impact.
An unauthenticated remote attacker can exploit the issue to traverse directories and download arbitrary files from the underlying server, exposing sensitive data without any authentication or user interaction.
Public advisories published by iThemes and Patchstack in September 2022 describe the vulnerability and direct administrators to the corresponding security reports for remediation guidance.
The associated EPSS score currently stands at 0.9194 with a recorded peak of 0.9276.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-53276
Vulnerability details
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in iThemes BackupBuddy allows Path Traversal.This issue affects BackupBuddy: from 8.5.8.0 through 8.7.4.1.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.