Security
Headlines
HeadlinesLatestCVEs

Headline

WordPress Backup Migration 1.3.7 Remote Code Execution

WordPress Backup Migration plugin versions 1.3.7 and below suffer from a remote code execution vulnerability.

Packet Storm
#vulnerability#wordpress#intel#php#rce#auth
Vulnerability Summary from Wordfence IntelligenceDescription: Backup Migration <= 1.3.7 backup-backup Unauthenticated Remote Code Execution Affected Plugin: Backup MigrationPlugin Slug: backup-backupAffected Versions: <= 1.3.7CVE ID:CVE-2023-6553Pending CVSS Score: 9.8 (Critical)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HResearcher/s: Nex Team Fully Patched Version: 1.3.8Bounty Award: $2,751.00The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.7 via the /includes/backup-heart.php file. This is due to an attacker being able to control the values passed to an include, and subsequently leverage that to achieve remote code execution. This makes it possible for unauthenticated threat actors to easily execute code on the server.Technical AnalysisLine 118 within the /includes/backup-heart.php file used by the Backup Migration plugin attempts to include bypasser.php from the BMI_INCLUDES directory. The BMI_INCLUDES directory is defined by concatenating BMI_ROOT_DIR with the includes string on line 64. However, note that BMI_ROOT_DIR is defined via the content-dir HTTP header on line 62.affected_code_image_2 This means that the BMI_ROOT_DIR is user-controllable. By submitting a specially-crafted request, threat-actors can leverage this issue to include arbitrary, malicious PHP code and execute arbitrary commands on the underlying server in the security context of the WordPress instance.Disclosure TimelineDecember 5, 2023 – We receive the submission of the PHP Code Injection vulnerability in Backup Migration via the Wordfence Bug Bounty Program.December 6, 2023 – We validate the report and confirm the proof-of-concept exploit.December 6, 2023 – We initiate contact with the plugin developer and send over the full disclosure details. The vendor acknowledges the report and begins working on a fix. A fully patched version of the plugin, 1.3.8, is released.ConclusionIn this blog post, we detailed a critical PHP Code Injection vulnerability within the Backup Migration plugin affecting versions 1.3.7 and earlier. This vulnerability allows unauthenticated threat actors to inject arbitrary PHP code, resulting in a full site compromise. The vulnerability has been fully addressed in version 1.3.8 of the plugin.We urge WordPress users to verify that their sites are updated to the latest patched version of Backup Migration.Wordfence users running Wordfence Premium , Wordfence Care , and Wordfence Response  have been protected against these vulnerabilities as of December 6, 2023. Users still using the free version of Wordfence will receive the same protection on January 5, 2024.If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

Related news

WordPress Backup Migration 1.3.7 Remote Command Execution

This Metasploit module exploits an unauthenticated remote command execution vulnerability in WordPress Backup Migration plugin versions 1.3.7 and below. The vulnerability is exploitable through the Content-Dir header which is sent to the /wp-content/plugins/backup-backup/includes/backup-heart.php endpoint. The exploit makes use of a neat technique called PHP Filter Chaining which allows an attacker to prepend bytes to a string by continuously chaining character encoding conversions. This allows an attacker to prepend a PHP payload to a string which gets evaluated by a require statement, which results in command execution.

CVE-2023-6553: Backup Migration <= 1.3.7 - Unauthenticated Remote Code Execution — Wordfence Intelligence

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.7 via the /includes/backup-heart.php file. This is due to an attacker being able to control the values passed to an include, and subsequently leverage that to achieve remote code execution. This makes it possible for unauthenticated attackers to easily execute code on the server.

Packet Storm: Latest News

Ubuntu Security Notice USN-7089-6