Cyber Resilience

CVE-2022-31474

High

Published: 13 March 2023

Published
13 March 2023
Modified
28 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.9194 99.7th percentile
Risk Priority 70 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-31474 is a high-severity Path Traversal (CWE-22) vulnerability in Ithemes Backupbuddy. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2022-31474 is a path traversal vulnerability, tracked as CWE-22, that affects the iThemes BackupBuddy WordPress plugin in versions 8.5.8.0 through 8.7.4.1. The flaw permits improper limitation of pathnames to restricted directories and carries a CVSS 3.1 score of 7.5 reflecting network attack vector, low complexity, and no required privileges or user interaction, resulting in high confidentiality impact.

An unauthenticated remote attacker can exploit the issue to traverse directories and download arbitrary files from the underlying server, exposing sensitive data without any authentication or user interaction.

Public advisories published by iThemes and Patchstack in September 2022 describe the vulnerability and direct administrators to the corresponding security reports for remediation guidance.

The associated EPSS score currently stands at 0.9194 with a recorded peak of 0.9276.

EU & UK References

Vulnerability details

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in iThemes BackupBuddy allows Path Traversal.This issue affects BackupBuddy: from 8.5.8.0 through 8.7.4.1.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ithemes
backupbuddy
8.5.8.0 — 8.7.5.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References