A important unauthenticated distant management execution (RCE) bug in a backup plug-in that is been downloaded greater than 90,000 occasions exposes susceptible WordPress websites to takeover — one other instance of the epidemic of threat posed by flawed plug-ins for the website-building platform.
A cadre of vulnerability researchers referred to as Nex Group found a PHP code-injection vulnerability in Backup Migration, a plug-in that WordPress web site directors can use to facilitate the creation of a backup web site. The bug is tracked as CVE-2023-6553 and rated 9.8 on the CVSS vulnerability-severity scale.
Options of the plug-in embody the power to schedule backups to happen in a well timed manner and with numerous configurations, together with defining precisely which recordsdata and/or databases must be within the backup, the place the backup can be saved, the title of the backup, and many others.
“This vulnerability permits unauthenticated menace actors to inject arbitrary PHP code, leading to a full web site compromise,” Alex Thomas, senior Internet purposes vulnerability researcher at Defiant, wrote in a weblog submit for Wordfence about CVE-2023-6553. Wordfence mentioned it blocked 39 assaults concentrating on the vulnerability simply within the 24 hours earlier than the submit was written.
The Nex Group researchers submitted the bug to a not too long ago created bug-bounty program by Wordfence. Wordfence notified BackupBliss, the creators of the Backup Migration plug-in, and a patch was launched hours later.
The corporate additionally awarded Nex Group $2,751 for reporting the bug to its bounty program, which was simply launched on Nov. 8. To date, Wordfence reported there was a optimistic response to its program, with 270 vulnerability researchers registering and almost 130 vulnerability submissions in its first month.
Uncovered to Unauthenticated, Full Website Takeover
With tons of of hundreds of thousands of internet sites constructed on the WordPress content material administration system (CMS), the platform and its customers signify a giant assault floor for menace actors and thus are frequent targets of malicious campaigns. A lot of these come by way of plug-ins that set up malware and supply a simple technique to expose hundreds and even hundreds of thousands of websites to potential assault. Attackers additionally are likely to shortly bounce on flaws which are found in WordPress.
The RCE flaw arises from “an attacker with the ability to management the values handed to an embody, and subsequently leverage that to attain distant code-execution,” in accordance with a submit on the Wordfence web site. “This makes it potential for unauthenticated attackers to simply execute code on the server.”
Particularly, line 118 throughout the /consists of/backup-heart.php file utilized by the Backup Migration plug-in makes an attempt to incorporate bypasser.php from the BMI_INCLUDES listing, in accordance with Wordfence. The BMI_INCLUDES listing is outlined by concatenating BMI_ROOT_DIR with the consists of string on line 64; nevertheless, that BMI_ROOT_DIR is outlined by way of the content-dir HTTP header on line 62, which creates the flaw.
“Which means that BMI_ROOT_DIR is user-controllable,” Thomas wrote. “By submitting a specially-crafted request, threat-actors can leverage this difficulty to incorporate arbitrary, malicious PHP code and execute arbitrary instructions on the underlying server within the safety context of the WordPress occasion.”
Patch CVE-2023-6553 in Backup Migration Now
All variations of Backup Migration as much as and together with 1.3.7 by way of the /consists of/backup-heart.php file are susceptible to the flaw, which is fastened in model 1.3.8. Anybody utilizing the plug-in on a WordPress web site ought to replace it as quickly as potential to the patched model, in accordance with Wordfence.
“If you recognize somebody who makes use of this plug-in on their web site, we advocate sharing this advisory with them to make sure their web site stays safe, as this vulnerability poses a major threat,” in accordance with the Wordfence submit.
