Backup Migration WordPress Plugin Flaw Impacts 90,000 Sites

Written by

Security researchers have warned users of a popular WordPress plugin that they need to patch urgently or risk their site being remotely hijacked.

Security vendor Wordfence has revealed a new PHP code injection vulnerability with a CVSS score of 9.8, which could enable remote code execution (CVE-2023-6553). The impacted plugin, Backup Migration, is said to have an estimated 90,000 installs.

Unauthenticated threat actors could exploit the bug to inject arbitrary PHP code, resulting in a full site compromise.

“The Backup Migration plugin for WordPress is vulnerable to remote code execution in all versions up to, and including, 1.3.7 via the /includes/backup-heart.php file,” Wordfence said.

“This is due to an attacker being able to control the values passed to an include, and subsequently leverage that to achieve remote code execution. This makes it possible for unauthenticated threat actors to easily execute code on the server.”

Read more on WordPress plugin flaws: WooCommerce Bug Exploited in Targeted WordPress Attacks

The vulnerability was fixed rapidly by Backup Migration developer BackupBliss, within just hours of being informed by Wordfence on December 6.

It was discovered by a researcher via the Wordfence Bug Bounty Program, which was set up on November 8. The research was submitted to the program on December 5 and Wordfence had validated and confirmed a proof-of-concept exploit a day later.

The same day, it released a firewall rule to protect customers and sent the details over to BackupBliss.

Wordfence trumpeted the output of its bug bounty program. Within just a month, over 270 vulnerability researchers have registered and submitted around 130 vulnerabilities, it claimed.

Up until December 20, all researchers will earn 6.25x the program’s normal bounty rates when Wordfence handles responsible disclosure.

Image credit: David MG /

What’s hot on Infosecurity Magazine?