The vulnerability allows you to take control of the target site.
A critical vulnerability has been discovered in a popular WordPress plugin used on more than 90,000 sites, allowing an attacker to remotely execute code and completely take over vulnerable websites. Vulnerability CVE-2023-6553 (CVSS: 9.8) was discovered in the Backup Migration plugin , designed to automate the backup of sites to local drives or to a Google Drive account.
The bug was discovered by the Nex Team of researchers and reported to Wordfence, a WordPress security firm, as part of the recently launched Bug Bounty program. The problem applies to all versions of the plugin up to and including Backup Migration 1.3.6. An attacker can exploit the vulnerability in low-complexity attacks that do not require user interaction.
RCE vulnerability CVE-2023-6553 allows an unauthorized attacker to get the ability to execute code on a remote server by injecting PHP code through a file /includes/backup-heart.php. This is because a cybercriminal can control the values passed to the include function and use them to execute remote code on the base server in the security context of a WordPress instance.
Wordfence reported a critical flaw to the Backup Migration BackupBliss plugin development team, and also issued a firewall rule to protect clients and sent detailed information to BackupBliss. A few hours later, the developers released a patch.
However, despite the release of a patched version of the Backup Migration plugin 1.3.8, almost 50,000 WordPress websites are using the affected version. Wordfence urged users to immediately update their sites to the latest patched version of Backup Migration 1.3.8.
A critical vulnerability has been discovered in a popular WordPress plugin used on more than 90,000 sites, allowing an attacker to remotely execute code and completely take over vulnerable websites. Vulnerability CVE-2023-6553 (CVSS: 9.8) was discovered in the Backup Migration plugin , designed to automate the backup of sites to local drives or to a Google Drive account.
The bug was discovered by the Nex Team of researchers and reported to Wordfence, a WordPress security firm, as part of the recently launched Bug Bounty program. The problem applies to all versions of the plugin up to and including Backup Migration 1.3.6. An attacker can exploit the vulnerability in low-complexity attacks that do not require user interaction.
RCE vulnerability CVE-2023-6553 allows an unauthorized attacker to get the ability to execute code on a remote server by injecting PHP code through a file /includes/backup-heart.php. This is because a cybercriminal can control the values passed to the include function and use them to execute remote code on the base server in the security context of a WordPress instance.
Wordfence reported a critical flaw to the Backup Migration BackupBliss plugin development team, and also issued a firewall rule to protect clients and sent detailed information to BackupBliss. A few hours later, the developers released a patch.
However, despite the release of a patched version of the Backup Migration plugin 1.3.8, almost 50,000 WordPress websites are using the affected version. Wordfence urged users to immediately update their sites to the latest patched version of Backup Migration 1.3.8.
