Over 90,000 WordPress Sites at Risk Due to Critical Plugin Flaw

A significant security flaw in the popular WordPress plugin "Backup Migration," which boasts over 90,000 installations, has been identified. This vulnerability, designated CVE-2023-6553 and assigned a critical 9.8 out of 10 severity rating, could enable attackers to remotely execute code, compromising the affected websites.

Backup Migration is a tool used by administrators for automating website backups, either locally or to Google Drive. The vulnerability was uncovered by the Nex Team, a group of bug hunters, and reported through Wordfence's recently initiated bug bounty program.

The issue affects all versions of the plugin up to and including 1.3.6. It allows attackers to perform remote code execution by injecting PHP code through the /includes/backup-heart.php file, without needing any user interaction.

The vulnerability stems from the way the plugin processes certain inputs. Attackers can manipulate these inputs to execute arbitrary PHP code on the server, posing a significant threat to website security.

Wordfence, a WordPress security firm, detailed the flaw's mechanism. It involves the manipulation of the BMI_ROOT_DIR, which is determined by the content-dir HTTP header. This allows attackers to control the inclusion of malicious PHP files.

Recognizing the severity, the developers behind Backup Migration, BackupBliss, swiftly released a patch. Despite the availability of the updated version 1.3.8, many websites remain at risk, with around 50,000 still using vulnerable versions a week after the patch release.

Administrators are urged to update their plugins promptly to mitigate the risk of CVE-2023-6553 attacks. This incident is part of a broader trend of security challenges faced by WordPress, including a recent phishing campaign targeting administrators and another vulnerability related to Property Oriented Programming.