A critical unauthenticated remote control execution bug in a backup plug-in that's been downloaded more than 90,000 times exposes vulnerable WordPress sites to takeover - another example of the epidemic of risk posed by flawed plug-ins for the website-building platform.
A cadre of vulnerability researchers called Nex Team discovered a PHP code-injection vulnerability in Backup Migration, a plug-in that WordPress site administrators can use to facilitate the creation of a backup site.
The bug is tracked as CVE-2023-6553 and rated 9.8 on the CVSS vulnerability-severity scale.
Features of the plug-in include the ability to schedule backups to occur in a timely way and with various configurations, including defining exactly which files and/or databases should be in the backup, where the backup will be stored, the name of the backup, etc.
Wordfence said it blocked 39 attacks targeting the vulnerability just in the 24 hours before the post was written.
The Nex Team researchers submitted the bug to a recently created bug-bounty program by Wordfence.
Wordfence notified BackupBliss, the creators of the Backup Migration plug-in, and a patch was released hours later.
The company also awarded Nex Team $2,751 for reporting the bug to its bounty program, which was just launched on Nov. 8.
Wordfence reported there has been a positive response to its program, with 270 vulnerability researchers registering and nearly 130 vulnerability submissions in its first month.
Exposed to Unauthenticated, Complete Site Takeover With hundreds of millions of websites built on the WordPress content management system, the platform and its users represent a large attack surface for threat actors and thus are frequent targets of malicious campaigns.
Many of those come via plug-ins that install malware and provide an easy way to expose thousands or even millions of sites to potential attack.
Attackers also tend to quickly jump on flaws that are discovered in WordPress.
Specifically, line 118 within the /includes/backup-heart.
Php file used by the Backup Migration plug-in attempts to include bypasser.
Php from the BMI INCLUDES directory, according to Wordfence.
The BMI INCLUDES directory is defined by concatenating BMI ROOT DIR with the includes string on line 64; however, that BMI ROOT DIR is defined via the content-dir HTTP header on line 62, which creates the flaw.
Patch CVE-2023-6553 in Backup Migration Now All versions of Backup Migration up to and including 1.3.7 via the /includes/backup-heart.
Php file are vulnerable to the flaw, which is fixed in version 1.3.8.
Anyone using the plug-in on a WordPress site should update it as soon as possible to the patched version, according to Wordfence.
This Cyber News was published on www.darkreading.com. Publication date: Tue, 12 Dec 2023 16:55:21 +0000