Critical WordPress Plug-in RCE Bug Exposes Reams of Websites to Takeover

  /     /     /  
Publicated : 23/11/2024   Category : security


Critical WordPress Plug-in RCE Bug Exposes Reams of Websites to Takeover


Attackers can inject and execute arbitrary PHP code using a flaw in Backup Migration, which has been downloaded more than 90K times.



A critical unauthenticated remote control execution (RCE) bug in a backup plug-in thats been downloaded more than 90,000 times exposes
vulnerable WordPress sites to takeover
— another example of the epidemic of risk posed by flawed plug-ins for the website-building platform.
A cadre of vulnerability researchers called Nex Team discovered a PHP code-injection vulnerability in
Backup Migration
, a plug-in that WordPress site administrators can use to facilitate the creation of a backup site. The bug is tracked as
CVE-2023-6553
and rated 9.8 on the CVSS vulnerability-severity scale.
Features of the plug-in include the ability to schedule backups to occur in a timely way and with various configurations, including defining exactly which files and/or databases should be in the backup, where the backup will be stored, the name of the backup, etc.
This vulnerability allows unauthenticated threat actors to inject arbitrary PHP code, resulting in a full site compromise, Alex Thomas, senior Web applications vulnerability researcher at Defiant, wrote
in a blog post for Wordfence about CVE-2023-6553.
Wordfence said it blocked 39 attacks targeting the vulnerability just in the 24 hours before the post was written.
The Nex Team researchers submitted the bug to a recently created bug-bounty program by Wordfence. Wordfence notified
BackupBliss
, the creators of the Backup Migration plug-in, and a patch was released hours later.
The company also awarded Nex Team $2,751 for reporting the bug to its bounty program, which was just launched on Nov. 8. So far, Wordfence reported there has been a positive response to its program, with 270 vulnerability researchers registering and nearly 130 vulnerability submissions in its first month.
With hundreds of millions of websites built on the WordPress content management system (CMS), the platform and its users represent a
large attack surface
for threat actors and thus are frequent targets of malicious campaigns. Many of those come via
plug-ins
that install malware and provide an easy way to expose thousands or even millions of sites to potential attack. Attackers also tend to quickly
jump on flaws
that are discovered in WordPress.
The RCE flaw arises from an attacker being able to control the values passed to an include, and subsequently leverage that to achieve remote code-execution, according to
a post
on the Wordfence site. This makes it possible for unauthenticated attackers to easily execute code on the server.
Specifically, line 118 within the /includes/backup-heart.php file used by the Backup Migration plug-in attempts to include bypasser.php from the BMI_INCLUDES directory, according to Wordfence. The BMI_INCLUDES directory is defined by concatenating BMI_ROOT_DIR with the includes string on line 64; however, that BMI_ROOT_DIR is defined via the content-dir HTTP header on line 62, which creates the flaw.
This means that BMI_ROOT_DIR is user-controllable, Thomas wrote. By submitting a specially-crafted request, threat-actors can leverage this issue to include arbitrary, malicious PHP code and execute arbitrary commands on the underlying server in the security context of the WordPress instance.
All versions of Backup Migration up to and including 1.3.7 via the /includes/backup-heart.php file are vulnerable to the flaw, which is fixed in version 1.3.8. Anyone using the plug-in on a WordPress site should update it as soon as possible to the patched version, according to Wordfence.
If you know someone who uses this plug-in on their site, we recommend sharing this advisory with them to ensure their site
remains secure
, as this vulnerability poses a significant risk, according to the Wordfence post.

Last News

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security

▸ Senate wants changes to cybercrime law. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Critical WordPress Plug-in RCE Bug Exposes Reams of Websites to Takeover