A critical vulnerability in the popular WordPress plugin “Backup Migration” has left over 50,000 websites exposed to potential remote code execution (RCE) attacks. The vulnerability was reported by Wordfence, a WordPress security firm. The vulnerability tracked as CVE-2023-6553, has a severity score of 9.8/10. The vulnerability was discovered and reported by bug hunters from Nex Team.
The Backup Migration plugin is designed to help administrators automate website backups to local storage or a Google Drive account. However, the recently identified security flaw allows attackers to gain full control of vulnerable websites through remote code execution.
The security issue affects all plugin versions up to and including Backup Migration 1.3.6. Malicious actors can exploit the vulnerability through low-complexity attacks without requiring user interaction. The specific attack vector involves PHP code injection via the “/includes/backup-heart.php” file, enabling unauthenticated attackers to take over targeted websites.
Wordfence highlighted the severity of the vulnerability, stating, “By submitting a specially-crafted request, threat actors can leverage this issue to include arbitrary, malicious PHP code and execute arbitrary commands on the underlying server in the security context of the WordPress instance.”
Wordfence reported the critical security flaw to BackupBliss, the company behind the plugin, On December 6. BackupBliss was quick to fix the flaw and released a patch within hours. Although the fix was released quickly, most WordPress users using the plugin are yet to update the plugin. Statistics from WordPress.org show that nearly 50,000 websites are still using vulnerable versions a week after the patch release.
Website administrators are strongly urged to update their Backup Migration plugin to the patched version (1.3.8) to safeguard their websites against potential CVE-2023-6553 attacks. The nature of the vulnerability allows unauthenticated malicious actors to exploit websites remotely.
WordPress users need to stay up to date about the latest vulnerabilities reported in plugins. These recent vulnerabilities highlight the ongoing challenges faced by one of the world’s most widely used content management systems. Last week, WordPress also addressed a Property Oriented Programming (POP) chain vulnerability.
