Critical WordPress Plug-in RCE Bug Exposes Reams of Websites to Takeover

A critical unauthenticated remote control execution (RCE) bug in a backup plug-in that's been downloaded more than 90,000 times exposes vulnerable WordPress sites to takeover — another example of the epidemic of risk posed by flawed plug-ins for the website-building platform.

A cadre of vulnerability researchers called Nex Team discovered a PHP code-injection vulnerability in Backup Migration, a plug-in that WordPress site administrators can use to facilitate the creation of a backup site. The bug is tracked as CVE-2023-6553 and rated 9.8 on the CVSS vulnerability-severity scale.

Features of the plug-in include the ability to schedule backups to occur in a timely way and with various configurations, including defining exactly which files and/or databases should be in the backup, where the backup will be stored, the name of the backup, etc.

"This vulnerability allows unauthenticated threat actors to inject arbitrary PHP code, resulting in a full site compromise," Alex Thomas, senior Web applications vulnerability researcher at Defiant, wrote in a blog post for Wordfence about CVE-2023-6553. Wordfence said it blocked 39 attacks targeting the vulnerability just in the 24 hours before the post was written.

The Nex Team researchers submitted the bug to a recently created bug-bounty program by Wordfence. Wordfence notified BackupBliss, the creators of the Backup Migration plug-in, and a patch was released hours later.

The company also awarded Nex Team $2,751 for reporting the bug to its bounty program, which was just launched on Nov. 8. So far, Wordfence reported there has been a positive response to its program, with 270 vulnerability researchers registering and nearly 130 vulnerability submissions in its first month.

Exposed to Unauthenticated, Complete Site Takeover

With hundreds of millions of websites built on the WordPress content management system (CMS), the platform and its users represent a large attack surface for threat actors and thus are frequent targets of malicious campaigns. Many of those come via plug-ins that install malware and provide an easy way to expose thousands or even millions of sites to potential attack. Attackers also tend to quickly jump on flaws that are discovered in WordPress.

The RCE flaw arises from "an attacker being able to control the values passed to an include, and subsequently leverage that to achieve remote code-execution," according to a post on the Wordfence site. "This makes it possible for unauthenticated attackers to easily execute code on the server."

Specifically, line 118 within the /includes/backup-heart.php file used by the Backup Migration plug-in attempts to include bypasser.php from the BMI_INCLUDES directory, according to Wordfence. The BMI_INCLUDES directory is defined by concatenating BMI_ROOT_DIR with the includes string on line 64; however, that BMI_ROOT_DIR is defined via the content-dir HTTP header on line 62, which creates the flaw.

"This means that BMI_ROOT_DIR is user-controllable," Thomas wrote. "By submitting a specially-crafted request, threat-actors can leverage this issue to include arbitrary, malicious PHP code and execute arbitrary commands on the underlying server in the security context of the WordPress instance."

Patch CVE-2023-6553 in Backup Migration Now

All versions of Backup Migration up to and including 1.3.7 via the /includes/backup-heart.php file are vulnerable to the flaw, which is fixed in version 1.3.8. Anyone using the plug-in on a WordPress site should update it as soon as possible to the patched version, according to Wordfence.

"If you know someone who uses this plug-in on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk," according to the Wordfence post.