A critical severity vulnerability in a WordPress plugin with more than 90,000 installations could allow attackers to achieve remote code execution (RCE) to fully compromise websites. Known as Backup Migration, the plugin helps administrators automate website backups to local storage or a Google Drive account.
The security flaw — tracked as CVE-2023-6553 and rated at a severity of 9.8 on the Common Vulnerability Scoring System (CVSS) — was discovered by a team of bug hunters known as the Nex Team, who reported it to the security firm of WordPress, Wordfence, based on the recently launched bug bounty program.
The vulnerability affects all plugin versions up to and including Backup Migration 1.3.6, and threat actors can exploit it in low-complexity attacks without user interaction. CVE-2023-6553 allows attackers to take control of target websites by achieving remote code execution (RCE) via injecting PHP code via the /includes/backup-heart.php file.
“This is due to the fact that an attacker is able to control the values passed to an include and later leverage this to achieve remote code execution. This enables unauthenticated threat actors to easily execute code on the server,” said Wordfence on Monday the 11th.
“By sending a specially crafted request, threat actors can leverage this issue to include arbitrary and malicious PHP code and execute arbitrary commands on the underlying server in the security context of the WordPress instance,” added the security company.
Wordfence reported the critical security flaw to BackupBliss, the development team behind the Backup Migration plugin, on December 6, with the developers releasing a patch hours later. However, despite the release of the patched version of the Backup Migration 1.3.8 plugin on the day of the report, almost 50 thousand WordPress sites using a vulnerable version still need to be protected almost a week later, as shown by WordPress.org, download statistics from organization.
Administrators are advised to protect their websites against potential CVE-2023-6553 attacks as this is a critical vulnerability that threat actors can exploit remotely.
WordPress administrators are also being targeted by a phishing campaign that attempts to trick them into installing malicious plugins using fake WordPress security warnings for a fictitious vulnerability tracked as CVE-2023-45124 as bait.
Last week, WordPress also fixed a property-oriented programming (POP) chain vulnerability that could allow attackers to achieve arbitrary PHP code execution under certain conditions (when combined with some plugins on multisite installations).
Source: CisoAdvisor
