A significant security concern has been identified in the Backup Migration WordPress plugin, a tool boasting over 90,000 installations, potentially enabling attackers to achieve remote code execution and compromise vulnerable websites. Discovered by the Nex Team and reported under a bug bounty program, the security flaw (CVE-2023-6553) holds a severity score of 9.8/10. The vulnerability affects all plugin versions up to and including Backup Migration 1.3.6, allowing malicious actors to exploit it through low-complexity attacks without user interaction.
Attackers can exploit CVE-2023-6553, gaining unauthenticated access to compromise targeted websites by executing remote code through PHP code injection in the /includes/backup-heart.php file. Wordfence, a WordPress security firm, emphasized the risk, stating, “By submitting a specially-crafted request, threat actors can leverage this issue to include arbitrary, malicious PHP code and execute arbitrary commands on the underlying server in the security context of the WordPress instance.”
The vulnerability lies in the attempt to include bypasser.php from the BMI_INCLUDES directory in the Backup Migration plugin’s /includes/backup-heart.php file. Notably, BMI_ROOT_DIR, defined through the content-dir HTTP header, is subject to user control, posing a significant security risk.
Wordfence promptly reported the issue to BackupBliss, the plugin’s development team, on December 6. A patch (Backup Migration 1.3.8) was released within hours. However, despite the swift response, nearly 50,000 WordPress websites using vulnerable versions remain unsecured, as reported by WordPress.org download statistics.
Administrators are strongly urged to secure their websites against potential CVE-2023-6553 attacks, given the critical nature of this vulnerability, which unauthenticated malicious actors can exploit remotely. Additionally, WordPress administrators should exercise caution, as a phishing campaign is actively targeting them, aiming to install malicious plugins using fake WordPress security advisories related to a fictitious vulnerability (CVE-2023-45124).
In a related development, WordPress recently addressed a Property Oriented Programming (POP) chain vulnerability that, under certain conditions and when combined with specific plugins in multisite installations, could allow attackers to gain arbitrary PHP code execution.
MultiChoice & Canal+ Deal: What’s Going On Background Canal+, the French media giant, is in… Read More
Apple officially announced that its highly anticipated "Awe Dropping" event will take place on Tuesday,… Read More
Decentralized social network Bluesky has pulled the plug on access for users in Mississippi after… Read More
Last week, OpenAI presented GPT-5 as a means of simplifying and improving ChatGPT. The idea… Read More
If your MacBook has started feeling more like a sleepy tortoise than a lightning-fast workhorse,… Read More
When it comes to smartphones, Android devices offer a level of customization and functionality that’s… Read More
View Comments
Very nice post. I just stumbled upon yiur blog and wished to mention that I've truly
enjoyed surfing around your blog posts. After all I willl
bbe subscribing to your feed and I'm hoping you write once more soon!