WordPress Backup Migration exposes sites to Remote Code Execution attacks
Take action: If you are using WordPress Backup Migration plugin, update ASAP. You can't hide the plugin from the internet, it's part of a public website. Just update, it takes a couple of minutes.
Learn More
A critical bug in the WordPress Backup Migration plugin, installed on over 90,000 sites, poses a risk for remote code execution attacks, potentially compromising websites. This plugin, designed for automating site backups to local storage or Google Drive, is vulnerable due to a security flaw tracked as CVE-2023-6553 (CVSS score 9.8).
The issue affects all versions of the plugin up to 1.3.6, allowing attackers to execute remote code via PHP code injection through the /includes/backup-heart.php file, without any user interaction. The vulnerability stems from an attacker's ability to manipulate the values passed to an include statement, enabling the execution of malicious code on the server under the WordPress instance's security context.
Specifically, in the /includes/backup-heart.php file, line 118 attempts to include bypasser.php from the BMI_INCLUDES directory. However, since the BMI_ROOT_DIR is defined by the content-dir HTTP header (found on line 62), it becomes vulnerable to user control.
The developers behind the plugin, BackupBliss, were alerted by Wordfence on December 6 and released a patch. Despite the availability of the updated Backup Migration 1.3.8 plugin version, approximately 50,000 websites remained unsecured a week later, according to WordPress.org download statistics.
