Attackers can inject and execute arbitrary PHP code using a flaw in Backup Migration, which has been downloaded more than 90K times.
December 12, 2023
A critical unauthenticated remote control execution (RCE) bug in a backup plug-in that's been downloaded more than 90,000 times exposes vulnerable WordPress sites to takeover — another example of the epidemic of risk posed by flawed plug-ins for the website-building platform.
A cadre of vulnerability researchers called Nex Team discovered a PHP code-injection vulnerability in Backup Migration, a plug-in that WordPress site administrators can use to facilitate the creation of a backup site. The bug is tracked as CVE-2023-6553 and rated 9.8 on the CVSS vulnerability-severity scale.
Features of the plug-in include the ability to schedule backups to occur in a timely way and with various configurations, including defining exactly which files and/or databases should be in the backup, where the backup will be stored, the name of the backup, etc.
"This vulnerability allows unauthenticated threat actors to inject arbitrary PHP code, resulting in a full site compromise," Alex Thomas, senior Web applications vulnerability researcher at Defiant, wrote in a blog post for Wordfence about CVE-2023-6553. Wordfence said it blocked 39 attacks targeting the vulnerability just in the 24 hours before the post was written.
The Nex Team researchers submitted the bug to a recently created bug-bounty program by Wordfence. Wordfence notified BackupBliss, the creators of the Backup Migration plug-in, and a patch was released hours later.
The company also awarded Nex Team $2,751 for reporting the bug to its bounty program, which was just launched on Nov. 8. So far, Wordfence reported there has been a positive response to its program, with 270 vulnerability researchers registering and nearly 130 vulnerability submissions in its first month.
With hundreds of millions of websites built on the WordPress content management system (CMS), the platform and its users represent a large attack surface for threat actors and thus are frequent targets of malicious campaigns. Many of those come via plug-ins that install malware and provide an easy way to expose thousands or even millions of sites to potential attack. Attackers also tend to quickly jump on flaws that are discovered in WordPress.
The RCE flaw arises from "an attacker being able to control the values passed to an include, and subsequently leverage that to achieve remote code-execution," according to a post on the Wordfence site. "This makes it possible for unauthenticated attackers to easily execute code on the server."
Specifically, line 118 within the /includes/backup-heart.php file used by the Backup Migration plug-in attempts to include bypasser.php from the BMI_INCLUDES directory, according to Wordfence. The BMI_INCLUDES directory is defined by concatenating BMI_ROOT_DIR with the includes string on line 64; however, that BMI_ROOT_DIR is defined via the content-dir HTTP header on line 62, which creates the flaw.
"This means that BMI_ROOT_DIR is user-controllable," Thomas wrote. "By submitting a specially-crafted request, threat-actors can leverage this issue to include arbitrary, malicious PHP code and execute arbitrary commands on the underlying server in the security context of the WordPress instance."
All versions of Backup Migration up to and including 1.3.7 via the /includes/backup-heart.php file are vulnerable to the flaw, which is fixed in version 1.3.8. Anyone using the plug-in on a WordPress site should update it as soon as possible to the patched version, according to Wordfence.
"If you know someone who uses this plug-in on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk," according to the Wordfence post.
Elizabeth Montalbano, Contributing Writer
Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.
You May Also Like
Black Hat USA – Aug 3-8 – The Premier Technical Cybersecurity Conference – Learn More
Black Hat Europe – December 9-12 – Learn More
SecTor – Canada’s IT Security Conference Oct 22-24 – Learn More
2024 InformationWeek US IT Salary Report
Elastic named a Leader in The Forrester Wave™: Security Analytics Platforms, Q4 2022
2023 Global Threat Report
EMA: AI at your fingertips: How Elastic AI Assistant simplifies cybersecurity
Incident Readiness and Building Response Playbook
IT Risk & Compliance Platforms: A Buyer’s Guide
Threat Hunting in the Cloud: Adapting to the New Landscape
State of Enterprise Cloud Security
Shining a light in the dark: observability and security, a SANS profile
The Future of Cloud Security: Attack Paths & Graph-based Technology
Black Hat USA – Aug 3-8 – The Premier Technical Cybersecurity Conference – Learn More
Black Hat Europe – December 9-12 – Learn More
SecTor – Canada’s IT Security Conference Oct 22-24 – Learn More
Copyright © 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.