Critical flaw found in Backup Migration WordPress plugin [CVE-2023-6553]

Security experts are cautioning users of a widely-used WordPress plugin to promptly apply a patch or face the potential of their website being taken over remotely.

Wordfence, a security vendor, has uncovered a critical PHP code injection vulnerability in the Backup Migration plugin, assigning it a CVSS score of 9.8. This flaw (CVE-2023-6553) poses a significant risk of remote code execution. The affected plugin, Backup Migration, boasts an estimated 90,000 installations.

The vulnerability allows unauthenticated threat actors to exploit the bug, injecting arbitrary PHP code and ultimately compromising the entire site. Wordfence highlighted the specific issue, stating, “The Backup Migration plugin for WordPress is vulnerable to remote code execution in all versions up to, and including, 1.3.7 via the /includes/backup-heart.php file.” The vulnerability arises from an attacker manipulating the values passed to an include, facilitating remote code execution by unauthenticated threat actors.

Upon being notified by Wordfence on December 6, Backup Migration developer BackupBliss promptly addressed the vulnerability, fixing the issue within hours. The flaw was identified by a researcher participating in the Wordfence Bug Bounty Program, established on November 8. The research submission occurred on December 5, with Wordfence validating and confirming a proof-of-concept exploit the following day.

Wordfence also emphasized the success of its bug bounty program, reporting that within a month, over 270 vulnerability researchers had registered and submitted approximately 130 vulnerabilities.