A critical severity vulnerability in a WordPress plugin with more than 90,000 installs can let attackers gain remote code execution to fully compromise vulnerable websites.
Known as Backup Migration, the plugin helps admins automate site backups to local storage or a Google Drive account.
The security bug was discovered by a team of bug hunters known as Nex Team, who reported it to WordPress security firm Wordfence under a recently launched bug bounty program.
It impacts all plugin versions up to and including Backup Migration 1.3.6, and malicious actors can exploit it in low-complexity attacks without user interaction.
CVE-2023-6553 allows unauthenticated attackers to take over targeted websites by gaining remote code execution through PHP code injection via the /includes/backup-heart.
Php file used by the Backup Migration plugin, an attempt is made to incorporate bypasser.
BMI ROOT DIR is defined through the content-dir HTTP header found on line 62, thereby making BMI ROOT DIR subject to user control.
Wordfence reported the critical security flaw to BackupBliss, the development team behind the Backup Migration plugin, on December 6, with the developers releasing a patch hours later.
Despite the release of the patched Backup Migration 1.3.8 plugin version on the day of the report, almost 50,000 WordPress websites using a vulnerable version still have to be secured nearly one week later, as WordPress.org org download stats show.
Admins are strongly advised to secure their websites against potential CVE-2023-6553 attacks, given that this is a critical vulnerability that unauthenticated malicious actors can exploit remotely.
WordPress administrators are also being targeted by a phishing campaign attempting to trick them into installing malicious plugins using fake WordPress security advisories for a fictitious vulnerability tracked as CVE-2023-45124 as bait.
Last week, WordPress also fixed a Property Oriented Programming chain vulnerability that could allow attackers to gain arbitrary PHP code execution under certain conditions.
WordPress fixes POP chain exposing websites to RCE attacks.
Over 30% of Log4J apps use a vulnerable version of the library.
Atlassian patches critical RCE flaws across multiple products.
December Android updates fix critical zero-click RCE flaw.
New botnet malware exploits two zero-days to infect NVRs and routers.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 11 Dec 2023 22:50:08 +0000