A WordPress plugin, known as Backup Migration and boasting over 90,000 installations, harbours a critical severity vulnerability. Exploiting this flaw empowers attackers with the capability to execute remote code, ultimately leading to the complete compromise of susceptible websites. This plugin, designed to aid administrators in automating site backups to either local storage or a Google Drive account, exposes a significant security risk that demands prompt attention.
The security vulnerability, identified as CVE-2023-6553 and carrying a severity score of 9.8/10, was unearthed by a group of bug hunters. They promptly reported the issue to the WordPress security firm Wordfence as part of a newly instituted bug bounty program.
It affects all versions of the Backup Migration plugin up to and including version 1.3.6. Malicious actors can exploit this vulnerability through low-complexity attacks without requiring user interaction.
CVE-2023-6553 enables unauthenticated attackers to seize control of targeted websites by achieving remote code execution through PHP code injection via the /includes/backup-heart.php file.
Wordfence explained on Monday that the vulnerability arises from the attacker's ability to manipulate the values passed to an include, thereby facilitating remote code execution. This vulnerability allows unauthenticated threat actors to effortlessly execute code on the server.
Wordfence highlighted, "By submitting a specially-crafted request, threat actors can exploit this issue to include arbitrary, malicious PHP code and execute arbitrary commands on the underlying server within the security context of the WordPress instance."
In the /includes/backup-heart.php file utilised by the Backup Migration plugin, there is an attempt to include bypasser.php from the BMI_INCLUDES directory (defined by merging BMI_ROOT_DIR with the includes string) at line 118.
However, BMI_ROOT_DIR is defined through the content-dir HTTP header located on line 62, making BMI_ROOT_DIR susceptible to user control.
Patch promptly released
On December 6, Wordfence notified the development team, about a critical security vulnerability in the Backup Migration plugin. The developers promptly addressed the issue and released a patch in the form of Backup Migration version 1.3.8 within hours of the report.
Despite the availability of the patched plugin version on the same day as the report, the statistics from WordPress.org downloads reveal that nearly one week later, approximately 50,000 WordPress websites using a vulnerable version have yet to be secured.
Website administrators are urged to fortify their sites to ward off potential attacks exploiting CVE-2023-6553. This critical vulnerability poses a remote exploitation risk by unauthenticated malicious actors.
In addition, a phishing campaign is actively targeting WordPress administrators. The campaign employs deceptive tactics, using counterfeit WordPress security advisories related to a fictitious vulnerability tracked as CVE-2023-45124. The aim is to trick administrators into installing malicious plugins.
Furthermore, in the previous week, WordPress addressed a Property Oriented Programming (POP) chain vulnerability. This flaw could enable attackers to execute arbitrary PHP code under specific conditions, particularly in conjunction with certain plugins within multisite installations.
How can this be helped?
A cyber security company can play a crucial role in addressing and mitigating the issues highlighted in the above. Here's how:
Vulnerability Assessment and Patch Management:
The company can conduct a comprehensive vulnerability assessment to identify weaknesses in the WordPress plugins and the overall website security.
They can assist in the timely application of patches, ensuring that known vulnerabilities, such as CVE-2023-6553, are promptly addressed.
Incident Response and Threat Mitigation:
In the event of a security incident, a cyber security company can provide incident response services. This includes investigating the nature of the attack, identifying compromised systems, and implementing immediate mitigations.
They can help design and implement strategies to thwart ongoing phishing campaigns targeting WordPress administrators.
Continuous Monitoring:
Implementing continuous monitoring solutions can help detect and respond to security threats in real-time. This includes monitoring for suspicious activities, unauthorised access, and potential signs of a phishing campaign.
At Cybaverse, we offer several services, including those mentioned above. If you want to find out more about how we can help you, get in touch today!
