50K WordPress sites exposed to RCE attacks by critical bug in backup plugin

Trending 2 months ago


A analytical severity vulnerability in a WordPress plugin with added than 90,000 installs can let attackers accretion alien cipher beheading to absolutely accommodation accessible websites.

Known as Backup Migration, the plugin helps admins automate armpit backups to bounded accumulator or a Google Drive account.

The aegis bug (tracked as CVE-2023-6553 and rated with a 9.8/10 severity score) was apparent by a aggregation of bug hunters accepted as Nex Team, who appear it to WordPress aegis close Wordfence beneath a afresh launched bug advantage program.

It impacts all plugin versions up to and including Backup Migration 1.3.6, and awful actors can accomplishment it in low-complexity attacks after user interaction.

CVE-2023-6553 allows counterfeit attackers to booty over targeted websites by accepting alien cipher beheading through PHP cipher bang via the /includes/backup-heart.php file.

"This is due to an antagonist actuality able to ascendancy the ethics anesthetized to an include, and after advantage that to accomplish alien cipher execution. This makes it accessible for counterfeit blackmail actors to calmly assassinate cipher on the server," Wordfence said on Monday.

"By appointment a specially-crafted request, threat-actors can advantage this affair to accommodate arbitrary, awful PHP cipher and assassinate approximate commands on the basal server in the aegis ambience of the WordPress instance."

In the /includes/backup-heart.php book acclimated by the Backup Migration plugin, an attack is fabricated to absorb bypasser.php from the BMI_INCLUDES agenda (defined by amalgamation BMI_ROOT_DIR with the includes string) at band 118.

However, BMI_ROOT_DIR is authentic through the content-dir HTTP attack begin on band 62, thereby authoritative BMI_ROOT_DIR accountable to user control.

CVE-2023-6553 accessible codeBackup Migration accessible cipher (Wordfence)

Patch appear aural hours

Wordfence appear the analytical aegis blemish to BackupBliss, the development aggregation abaft the Backup Migration plugin, on December 6, with the developers absolution a application hours later.

However, admitting the absolution of the patched Backup Migration 1.3.8 plugin adaptation on the day of the report, about 50,000 WordPress websites application a accessible adaptation still accept to be anchored about one anniversary later, as WordPress.org org download stats show.

Admins are acerb audacious to defended their websites adjoin abeyant CVE-2023-6553 attacks, accustomed that this is a analytical vulnerability that counterfeit awful actors can accomplishment remotely.

WordPress administrators are additionally being targeted by a phishing attack attempting to ambush them into installing awful plugins application affected WordPress aegis advisories for a apocryphal vulnerability tracked as CVE-2023-45124 as bait.

Last week, WordPress additionally anchored a Property Oriented Programming (POP) chain vulnerability that could acquiesce attackers to accretion approximate PHP cipher beheading beneath assertive altitude (when accumulated with some plugins in multisite installations).