WordPress sites exposed to RCE attacks by a critical bug in a backup plugin

A critical vulnerability has been identified in a widely-used WordPress plugin called Backup Migration, which is installed on over 90,000 sites. This bug, assigned the identifier CVE-2023-6553 and scoring 9.8 out of 10 in severity, allows remote code execution, enabling attackers to compromise affected websites. The vulnerability was discovered by Nex Team and reported to Wordfence.

The issue lies in all versions of the plugin up to 1.3.6, where attackers can inject PHP code through the /includes/backup-heart.php file without requiring user interaction. The flaw is in the way the plugin includes files, particularly using the BMI_ROOT_DIR defined by a user-controlled HTTP header.

BackupBliss, the developers behind Backup Migration, released a patch (version 1.3.8) within hours of the report from Wordfence on December 6. Despite this, around 50,000 websites remain unsecured. WordPress administrators are urged to update their installations to protect against this vulnerability, especially since unauthenticated attackers can exploit it remotely.

In addition to this threat, WordPress admins are also the target of a phishing campaign using fake security advisories. Additionally, WordPress has recently addressed a Property Oriented Programming vulnerability that could lead to arbitrary PHP code execution under specific conditions.

The functions isFunctionEnabled and getallheaders would need to be defined somewhere in your code for this to work, and the exact content of content-dir header must be controlled to ensure security. This code is based on what was visible and does not include any security improvements or the full context of the file.

Header Retrieval: The if statement checks if the getallheaders function is available. This function retrieves all HTTP headers from the current request. If available, it assigns the headers to the $fields variable.

Dynamic Path Definitions: It then defines BMI_ROOT_DIR using a value from the $fields array indexed by 'content-dir'. This suggests that 'content-dir' is expected to be a custom HTTP header sent with the request. The value of this header is directly influencing the file path, which could be a security concern if not properly sanitized.

Constant Definitions: The code defines BMI_INCLUDES as a concatenation of BMI_ROOT_DIR and the string 'includes'. This is likely setting up a path to a directory where additional PHP files are stored.

File Inclusion: Finally, the code uses require_once to include the file 'bypasser.php' from the BMI_INCLUDES directory. The require_once statement is used to include and evaluate the specified file during the execution of the script. It will check if the file has already been included, and if not, it will include it. If the file cannot be included (e.g., file not found), it will cause a fatal error and halt the script execution.

The use of getallheaders to define file paths is potentially risky, as it could be exploited if an attacker has control over the headers, leading to a vulnerability such as Remote Code Execution (RCE) if the server-side code does not adequately validate the input before using it to include files. This type of vulnerability is particularly dangerous as it could allow an attacker to execute arbitrary code on the server. Therefore, it's crucial to ensure that any user input that may affect filesystem operations is strictly validated and sanitized.

All in all a severe Remote Code Execution (RCE) vulnerability, CVE-2023-6553, has been discovered in the Backup Migration WordPress plugin affecting over 90,000 sites. The flaw allows attackers to inject PHP code via a user-controlled HTTP header, compromising website security. Although a patch was released promptly, many sites remain at risk. This incident underscores the necessity for immediate updates and stringent validation of user inputs to prevent exploitation. WordPress admins are also cautioned about an ongoing phishing campaign and another PHP code execution vulnerability recently patched.