A WordPress plugin, Backup Migration, with over 90,000 installations, has a critical vulnerability that could allow attackers to achieve remote code execution, fully compromising vulnerable websites.
The Backup Migration plugin assists administrators in automating site backups to local storage or a Google Drive account. Discovered by the Nex Team bug hunters, the security flaw, tracked as CVE-2023-6553 with a severity score of 9.8/10, affects all plugin versions up to Backup Migration 1.3.6. Malicious actors can exploit this vulnerability in low-complexity attacks without requiring user interaction.
CVE-2023-6553 enables unauthenticated attackers to take control of targeted websites by executing remote code through PHP code injection via the /includes/backup-heart.php file. This is possible because attackers can control the values passed to an include, allowing them to achieve remote code execution without authentication.
Wordfence, a WordPress security firm, emphasized the ease with which unauthenticated threat actors can execute code on the server by submitting a specially-crafted request. By leveraging this issue, attackers can include malicious PHP code and execute arbitrary commands on the server in the security context of the WordPress instance.
The vulnerability arises in the /includes/backup-heart.php file, where an attempt to incorporate bypasser.php from the BMI_INCLUDES directory is made at line 118. However, BMI_ROOT_DIR, defined through the content-dir HTTP header found on line 62, is subject to user control.
Vulnerable code. Source: Wordfence.
Wordfence reported the critical flaw to BackupBliss, the development team behind the Backup Migration plugin, on December 6. The developers promptly released a patch with the Backup Migration 1.3.8 plugin version. Despite the availability of the patched version, nearly 50,000 WordPress websites using a vulnerable version remain unsecured, as per WordPress.org download stats.
Administrators are strongly advised to secure their websites against potential CVE-2023-6553 attacks, given the critical nature of the vulnerability. Additionally, a phishing campaign targeting WordPress administrators is attempting to trick them into installing malicious plugins, using fake WordPress security advisories for a fictitious vulnerability (CVE-2023-45124) as bait.
Last week, WordPress addressed another vulnerability, a Property Oriented Programming (POP) chain vulnerability, which, when combined with certain plugins in multisite installations, could allow attackers to gain arbitrary PHP code execution under specific conditions.
CyberSec84 | Cybersecurity news. 
Leave a comment