A WordPress plugin, installed on over 90,000 websites, contains a critical vulnerability exposing these sites to remote code execution attacks, potentially leading to full compromise. The plugin in question, Backup Migration, assists administrators in automating site backups to either local storage or a Google Drive account.
The security flaw, identified as CVE-2023-6553 with a severity score of 9.8/10, was uncovered by a bug hunting team called Nex Team. They reported the issue to the WordPress security firm Wordfence as part of a recently initiated bug bounty program.
The vulnerability affects all versions of the plugin, including Backup Migration 1.3.6. Exploitation is possible through low-complexity attacks without user interaction. CVE-2023-6553 enables unauthenticated attackers to seize control of targeted websites by achieving remote code execution through PHP code injection via the /includes/backup-heart.php file.
Wordfence emphasized the risk posed by the vulnerability, stating, “This is due to an attacker being able to control the values passed to an include, and subsequently leverage that to achieve remote code execution. This makes it possible for unauthenticated threat actors to easily execute code on the server.”
Patch released
Wordfence promptly alerted BackupBliss, the development team responsible for the Backup Migration plugin, about the critical security flaw on December 6. The developers acted swiftly and released a patch within hours, resulting in the updated Backup Migration 1.3.8 plugin version.
Despite the timely release of the patched version, nearly 50,000 WordPress websites continue to operate with vulnerable versions, as indicated by download statistics on WordPress.org, almost one week after the initial report.
Administrators are strongly urged to secure their websites promptly, recognizing the severity of CVE-2023-6553, a critical vulnerability exploitable remotely by unauthenticated malicious actors.
In addition to this security concern, WordPress administrators are facing a phishing campaign aimed at tricking them into installing malicious plugins. The attackers employ fake WordPress security advisories, using a non-existent vulnerability tracked as CVE-2023-45124 as bait.
Notably, in the previous week, WordPress addressed a Property Oriented Programming (POP) chain vulnerability. This fix addresses a potential risk wherein attackers could achieve arbitrary PHP code execution under specific conditions, particularly when combined with certain plugins in multisite installations.
