Tech

Safeguard Your Website: Critical Vulnerability in Popular WordPress Plugin Exposes Thousands

A significant security concern has been identified in the Backup Migration WordPress plugin, a tool boasting over 90,000 installations, potentially enabling attackers to achieve remote code execution and compromise vulnerable websites. Discovered by the Nex Team and reported under a bug bounty program, the security flaw (CVE-2023-6553) holds a severity score of 9.8/10. The vulnerability affects all plugin versions up to and including Backup Migration 1.3.6, allowing malicious actors to exploit it through low-complexity attacks without user interaction.

Attackers can exploit CVE-2023-6553, gaining unauthenticated access to compromise targeted websites by executing remote code through PHP code injection in the /includes/backup-heart.php file. Wordfence, a WordPress security firm, emphasized the risk, stating, “By submitting a specially-crafted request, threat actors can leverage this issue to include arbitrary, malicious PHP code and execute arbitrary commands on the underlying server in the security context of the WordPress instance.”

The vulnerability lies in the attempt to include bypasser.php from the BMI_INCLUDES directory in the Backup Migration plugin’s /includes/backup-heart.php file. Notably, BMI_ROOT_DIR, defined through the content-dir HTTP header, is subject to user control, posing a significant security risk.

Wordfence promptly reported the issue to BackupBliss, the plugin’s development team, on December 6. A patch (Backup Migration 1.3.8) was released within hours. However, despite the swift response, nearly 50,000 WordPress websites using vulnerable versions remain unsecured, as reported by WordPress.org download statistics.

Administrators are strongly urged to secure their websites against potential CVE-2023-6553 attacks, given the critical nature of this vulnerability, which unauthenticated malicious actors can exploit remotely. Additionally, WordPress administrators should exercise caution, as a phishing campaign is actively targeting them, aiming to install malicious plugins using fake WordPress security advisories related to a fictitious vulnerability (CVE-2023-45124).

In a related development, WordPress recently addressed a Property Oriented Programming (POP) chain vulnerability that, under certain conditions and when combined with specific plugins in multisite installations, could allow attackers to gain arbitrary PHP code execution.

Show More

Related Articles

One Comment

  1. Very nice post. I just stumbled upon yiur blog and wished to mention that I’ve truly
    enjoyed surfing around your blog posts. After all I willl
    bbe subscribing to your feed and I’m hoping you write once more soon!

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button

Adblock Detected

Please, turn off your browser's adblocker to view this page.