A severe vulnerability has been discovered in the Backup Migration plug-in, which has been downloaded over 90,000 times. This flaw allows attackers to inject and execute arbitrary PHP code, posing a significant risk to WordPress sites that utilize this plug-in. The vulnerability, tracked as CVE-2023-6553 and rated 9.8 on the CVSS vulnerability severity scale, enables unauthenticated threat actors to compromise the entire site.
The Backup Migration plug-in offers various features, including the ability to schedule backups and customize configurations such as selecting specific files and databases for backup, storage location, and backup naming. However, this vulnerability undermines the security of the plug-in, leaving vulnerable sites exposed to potential takeover.
In response to the discovery, the Nex Team researchers promptly reported the bug to Wordfence’s bug-bounty program. Wordfence, a cybersecurity company, notified the creators of the Backup Migration plug-in, BackupBliss, who swiftly released a patch to address the vulnerability.
Wordfence’s blog post about CVE-2023-6553 highlighted the severity of the issue and revealed that they had already blocked 39 attacks targeting the vulnerability within a 24-hour period. To encourage responsible disclosure, Wordfence rewarded Nex Team with $2,751 for their contribution to the bug-bounty program.
Wordfence’s bug-bounty program, launched on November 8, has garnered a positive response from the cybersecurity community. With 270 vulnerability researchers registered and nearly 130 vulnerability submissions in its first month, the program demonstrates the collective effort to enhance the security of WordPress sites.
Exposed to Unauthenticated, Complete Site Takeover
The WordPress content management system (CMS) is widely used, with millions of websites built on it. However, this popularity also makes it a prime target for malicious actors. One common method of attack is through plug-ins, which can install malware and leave numerous sites vulnerable. Additionally, attackers are quick to exploit any flaws discovered in WordPress.
A recent vulnerability, known as a remote code execution (RCE) flaw, allows attackers to control the values passed to an include statement and execute code on the server. This flaw was identified in the /includes/backup-heart.php file used by the Backup Migration plug-in. The flaw arises from the user-controllable BMI_ROOT_DIR, which is defined via the content-dir HTTP header. By manipulating this value, threat actors can include malicious PHP code and execute commands on the server.
This RCE flaw highlights the importance of regularly updating and securing WordPress installations, as well as being cautious when installing plug-ins. Website owners should stay vigilant and take necessary measures to protect their sites from potential attacks.
Patch CVE-2023-6553 in Backup Migration Now
According to Wordfence, the flaw in all versions of Backup Migration up to and including 1.3.7 via the /includes/backup-heart.php file has been fixed in version 1.3.8. It is highly advised that individuals using this plug-in on a WordPress site update it immediately to the patched version to maintain the security of their site. Wordfence also suggests sharing this advisory with anyone who may be using the plug-in to ensure their site remains protected, as this vulnerability presents a substantial risk.
