1 min read

A critical vulnerability in a WordPress backup plugin has exposed around 50,000 WordPress sites to Remote Code Execution (RCE) attacks

A critical vulnerability has been discovered in a WordPress plugin called Backup Migration, which is installed on over 90,000 websites. This flaw, tracked as CVE-2023-6553 with a severity score of 9.8/10, allows attackers to execute remote code on vulnerable websites, potentially leading to a full compromise. The plugin is designed to automate site backups to local storage or a Google Drive account. The security issue was reported by Nex Team, a group of bug hunters, under WordPress security firm Wordfence’s bug bounty program. The vulnerability affects all plugin versions up to Backup Migration 1.3.6, and exploitation can occur through low-complexity attacks without user interaction.

The flaw allows unauthenticated attackers to take control of targeted websites by achieving remote code execution through PHP code injection via the “/includes/backup-heart.php” file. This vulnerability arises from the attacker’s ability to control the values passed to an include statement, enabling them to execute code on the server without authentication. By crafting a specific request, threat actors can inject arbitrary and malicious PHP code, executing arbitrary commands on the server within the WordPress instance’s security context.



50K WordPress sites exposed to RCE attacks by critical bug in backup plugin
50K WordPress sites exposed to RCE attacks by critical bug in backup plugin

The issue stems from an attempt in the “/includes/backup-heart.php” file to incorporate “bypasser.php” from the BMI_INCLUDES directory. However, BMI_ROOT_DIR is defined through the content-dir HTTP header, making it subject to user control. Wordfence reported the vulnerability to BackupBliss, the plugin’s development team, on December 6, and a patch was released shortly afterward with Backup Migration version 1.3.8. Despite the patch’s availability, statistics from WordPress.org indicate that almost 50,000 websites still use vulnerable versions nearly a week after the fix.

WordPress administrators are strongly advised to secure their websites against potential attacks exploiting CVE-2023-6553. The critical nature of this vulnerability allows unauthenticated malicious actors to execute remote code, making it crucial for site owners to update the plugin promptly. Additionally, a phishing campaign has been targeting WordPress administrators, attempting to trick them into installing malicious plugins by using fake security advisories for a fictitious vulnerability (CVE-2023-45124) as bait.

In a related security update, WordPress recently addressed a Property Oriented Programming (POP) chain vulnerability. This flaw could permit attackers to achieve arbitrary PHP code execution under specific conditions, particularly in combination with certain plugins in multisite installations. As the WordPress ecosystem is frequently targeted by cyber threats, website administrators should remain vigilant, keep their plugins and themes updated, and promptly apply security patches to protect against potential vulnerabilities.

Leave a Reply