Critical RCE Vulnerability in WordPress Backup Migration Plug-in Puts Thousands of Websites at Risk

December 12, 2023

A major unauthenticated remote control execution (RCE) vulnerability has been discovered in a widely used WordPress plug-in, Backup Migration, exposing many WordPress websites to potential compromise. This vulnerability underscores the pervasive risk presented by faulty plug-ins on the WordPress platform.

The vulnerability was identified by a group of researchers, known as Nex Team, who found a PHP code-injection vulnerability in Backup Migration. This plug-in is used by WordPress site administrators to create backup sites. The vulnerability has been assigned the identifier CVE-2023-6553 and scored a high 9.8 on the CVSS vulnerability-severity scale. The plug-in offers various features including scheduling backups and defining the specifics of the backup.

Alex Thomas, a senior web applications vulnerability researcher at Defiant, explained in a Wordfence blog post about CVE-2023-6553, "This vulnerability allows unauthenticated threat actors to inject arbitrary PHP code, resulting in a full site compromise." Wordfence reported that it had blocked 39 attacks targeting this vulnerability within 24 hours before the blog post was published.

The vulnerability was reported by Nex Team to Wordfence's newly launched bug-bounty program. Wordfence subsequently notified BackupBliss, the developers of the Backup Migration plug-in, and a patch was released shortly after. Nex Team received a $2,751 bounty from Wordfence for reporting the bug. The bug-bounty program has received a positive response so far, with 270 researchers registering and nearly 130 vulnerability submissions in its first month of operation.

WordPress, with hundreds of millions of websites built on its content management system (CMS), and its users present a large attack surface for threat actors. They are often the targets of malicious campaigns, many of which are executed via plug-ins that install malware, exposing thousands or even millions of sites to potential attacks. Attackers also tend to exploit flaws in WordPress as soon as they are discovered.

The RCE vulnerability stems from an attacker's ability to control the values passed to an include, which can then be leveraged to execute remote code. This allows unauthenticated attackers to easily execute code on the server. The flaw is specifically located in line 118 within the /includes/backup-heart.php file used by the Backup Migration plug-in. The vulnerability affects all versions of Backup Migration up to and including 1.3.7 via the /includes/backup-heart.php file and is fixed in version 1.3.8. Wordfence advises anyone using the plug-in on a WordPress site to update it as soon as possible to the patched version. Wordfence's post stated, "If you know someone who uses this plug-in on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk."

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.