WordPress Sites To RCE Attacks In Backup Plugin

Critical Vulnerability Exposes 50K WordPress Sites To RCE Attacks In Backup Plugin

A critical security flaw in a widely used WordPress plugin, Backup Migration, has recently been discovered, putting over 50,000 websites at risk of remote code execution (RCE) attacks. In this article, we delve into the details of the vulnerability, its potential impact, and the swift response by the plugin’s development team.

The Vulnerability (CVE-2023-6553)

The security vulnerability, tracked as CVE-2023-6553, carries a severity score of 9.8/10. Nex Team, a group of bug hunters, identified this flaw that allows unauthenticated attackers to execute arbitrary PHP code and take control of targeted websites. The vulnerability affects all versions of the Backup Migration plugin up to and including version 1.3.6.

Read More: Drupal vs. WordPress: A Comparison For Informed Website Decisions

Exploitation via /includes/backup-heart.php

The exploit involves PHP code injection through the /includes/backup-heart.php file. Attackers can manipulate values passed to an include, enabling them to achieve remote code execution. This vulnerability allows threat actors to execute arbitrary commands on the server, making it a serious concern for website administrators.

Discovery and Reporting

The Nex Team promptly reported the vulnerability to Wordfence, a WordPress security firm, under a bug bounty program. Wordfence, in turn, informed BackupBliss, the development team behind Backup Migration, on December 6. The developers responded swiftly by releasing a patch within hours, introducing version 1.3.8 of the plugin.

Patch Status and Recommendations

Despite the availability of the patched version, statistics from WordPress.org reveal that nearly 50,000 websites are still using vulnerable versions. Website administrators are strongly advised to update to Backup Migration 1.3.8 immediately to secure their sites against potential CVE-2023-6553 attacks.

Read More: 10 Best Affiliate Plugins For WordPress You Should Choose To Grow Your Business

Frequently Asked Questions

Q1: What is the nature of the vulnerability in the Backup Migration plugin?

A1: The vulnerability (CVE-2023-6553) allows unauthenticated attackers to gain remote code execution through PHP code injection via the /includes/backup-heart.php file.

Q2: How can website administrators protect their sites from potential attacks?

A2: Administrators should update the Backup Migration plugin to the patched version 1.3.8 released by the development team promptly.

Q3: Are there ongoing phishing campaigns related to this vulnerability?

A3: Yes, WordPress administrators are currently targeted by a phishing campaign attempting to exploit the vulnerability by tricking them into installing malicious plugins.


The discovery of this critical vulnerability in the Backup Migration plugin emphasizes the importance of prompt software updates and security measures. Website administrators must remain vigilant and take immediate action to protect their sites from potential remote code execution attacks.

Feature Image Source: WebFactory Ltd

Similar Posts