A recently disclosed vulnerability in the ‘Backup Migration’ WordPress plugin has been granted a severity level of 9.8 out of 10. However, things may not be as bad as they appear because a patch is now available.
The security flaw, known as CVE-2023-6553, affects all versions of the plugin up to 1.3.7.
WordPress security site Wordfence, which works closely with the CMS Platform launched a program called “Holiday Bug Extravaganza”
The WordPress plugin Backup Migration, which has more than 90,000 active installations, was found to have a PHP Code Injection vulnerability.
This flaw allows unauthenticated threat actors to inject and execute arbitrary PHP code on WordPress sites that use this plugin.
On December 6, 2023, Wordfence swiftly released a firewall rule to safeguard users of Wordfence Premium, Wordfence Care, and Wordfence Response upon discovery.
On the same day, it released its firewall rule, Wordfence approached the BackupBliss team, creators of the Backup Migration plugin. Just hours after giving full disclosure details, the team released a fix.
To be safe, it advises Backup Migration users to upgrade their websites with the most recent patched version of 1.3.8.
WHAT EXACTLY WAS THE VULNERABILITY OF ‘CVE-2023-6553’
The Backup Migration plugin for WordPress is vulnerable to remote code execution in all versions up to 1.3.7 via the “/includes/backup-heart.php” file.
An attacker can execute remote code by manipulating the values given to an inclusion.
That allows unauthenticated threat actors to execute code on the server with ease.
WordFence added this breach within “Line 118 within the /includes/backup-heart.php file used by the Backup Migration plugin attempts to include bypasser.php from the BMI_INCLUDES directory. The BMI_INCLUDES directory is defined by concatenating BMI_ROOT_DIR with the includes string on line 64. However, note that BMI_ROOT_DIR is defined via the content-dir HTTP header on line 62.”
“This means that BMI_ROOT_DIR is user-controllable. By submitting a specially-crafted request, threat-actors can leverage this issue to include arbitrary, malicious PHP code and execute arbitrary commands on the underlying server in the security context of the WordPress instance.”
In its concluding summary, WordFence urges Back Migration users to update their plugins. Before it’s too late.