A important unauthenticated distant management execution (RCE) bug in a backup plug-in that is been downloaded greater than 90,000 instances exposes susceptible WordPress websites to takeover — one other instance of the epidemic of danger posed by flawed plug-ins for the website-building platform.
A cadre of vulnerability researchers known as Nex Workforce found a PHP code-injection vulnerability in Backup Migration, a plug-in that WordPress web site directors can use to facilitate the creation of a backup web site. The bug is tracked as CVE-2023-6553 and rated 9.8 on the CVSS vulnerability-severity scale.
Options of the plug-in embody the power to schedule backups to happen in a well timed method and with numerous configurations, together with defining precisely which recordsdata and/or databases must be within the backup, the place the backup shall be saved, the title of the backup, and so forth.
“This vulnerability permits unauthenticated menace actors to inject arbitrary PHP code, leading to a full web site compromise,” Alex Thomas, senior Net purposes vulnerability researcher at Defiant, wrote in a weblog publish for Wordfence about CVE-2023-6553. Wordfence mentioned it blocked 39 assaults focusing on the vulnerability simply within the 24 hours earlier than the publish was written.
The Nex Workforce researchers submitted the bug to a not too long ago created bug-bounty program by Wordfence. Wordfence notified BackupBliss, the creators of the Backup Migration plug-in, and a patch was launched hours later.
The corporate additionally awarded Nex Workforce $2,751 for reporting the bug to its bounty program, which was simply launched on Nov. 8. Thus far, Wordfence reported there was a optimistic response to its program, with 270 vulnerability researchers registering and almost 130 vulnerability submissions in its first month.
Uncovered to Unauthenticated, Full Website Takeover
With a whole bunch of tens of millions of internet sites constructed on the WordPress content material administration system (CMS), the platform and its customers symbolize a massive assault floor for menace actors and thus are frequent targets of malicious campaigns. A lot of these come through plug-ins that set up malware and supply a simple strategy to expose 1000’s and even tens of millions of web sites to potential assault. Attackers additionally are inclined to rapidly bounce on flaws which are found in WordPress.
The RCE flaw arises from “an attacker with the ability to management the values handed to an embody, and subsequently leverage that to realize distant code-execution,” based on a publish on the Wordfence web site. “This makes it attainable for unauthenticated attackers to simply execute code on the server.”
Particularly, line 118 throughout the /contains/backup-heart.php file utilized by the Backup Migration plug-in makes an attempt to incorporate bypasser.php from the BMI_INCLUDES listing, based on Wordfence. The BMI_INCLUDES listing is outlined by concatenating BMI_ROOT_DIR with the contains string on line 64; nevertheless, that BMI_ROOT_DIR is outlined through the content-dir HTTP header on line 62, which creates the flaw.
“Because of this BMI_ROOT_DIR is user-controllable,” Thomas wrote. “By submitting a specially-crafted request, threat-actors can leverage this problem to incorporate arbitrary, malicious PHP code and execute arbitrary instructions on the underlying server within the safety context of the WordPress occasion.”
Patch CVE-2023-6553 in Backup Migration Now
All variations of Backup Migration as much as and together with 1.3.7 through the /contains/backup-heart.php file are susceptible to the flaw, which is fastened in model 1.3.8. Anybody utilizing the plug-in on a WordPress web site ought to replace it as quickly as attainable to the patched model, based on Wordfence.
“If somebody who makes use of this plug-in on their web site, we advocate sharing this advisory with them to make sure their web site stays safe, as this vulnerability poses a big danger,” based on the Wordfence publish.
