Critical Vulnerability in Backup Migration Plugin Threatens 50,000 WordPress Sites

A critical vulnerability has been discovered in the popular WordPress backup plugin Backup Migration, which has over 90,000 active installations. This bug allows attackers to remotely execute code and fully compromise affected websites.

Details of the Vulnerability

The vulnerability, identified as CVE-2023-6553, received a severity score of 9.8 out of 10 on the CVSS scale. It was found by bug hunters from Nex Team and reported to Wordfence as part of a recently launched bug bounty program.

All versions of Backup Migration up to 1.3.6 are affected. Attackers can exploit this flaw through simple attacks that do not require any user interaction. Specifically, CVE-2023-6553 enables unauthenticated attackers to take over target sites via remote code execution, using a PHP injection in the /includes/backup-heart.php file.

According to a statement from Wordfence: “An attacker can control the values passed to the include statement and subsequently use them for remote code execution. As a result, unauthenticated attackers can easily execute code on the server.”

Patch Released, But Many Sites Remain at Risk

Wordfence notified the developers of the Backup Migration plugin about the critical bug on December 6. Just a few hours later, the developers released a patch. However, despite the release of the fixed version (1.3.8), official statistics from WordPress.org show that around 50,000 WordPress sites are still running vulnerable versions of the plugin.

Administrators are strongly urged to update the Backup Migration plugin as soon as possible to protect their sites from potential CVE-2023-6553 attacks.