WordPress Backup Migration Plug-In Bug 'CVE-2023-6553' That Reportedly Put Over 90,000 Websites at Risk, Discovered by Group of Researchers
A team of experienced researchers called Nex Team discovered new bug in WordPress Migration Backup plug-in that reportedly put over 90,000 websites at risk.
Mumbai, December 13: WordPress's new vulnerability is discovered by a team of experienced bug hunters in its WordPress Migration Plugin, which has reportedly put over 90,000 websites open for hacking. Due to this critical security flaw that enables unauthenticated RCE (Remote Code Execution), hackers find it easy to gain access to these websites. According to the reports, the flaw was discovered by a vulnerability researcher team called Nex Team while participating in the Wordfence Bug Bounty Program.
The team discovered a PHP-code-injected vulnerability in the Backup Migration plugin used by the WordPress site administrators to create a backup site. As per the Wordfeng website, the discovered bug is called "CVE-2023-6553", which allows hackers to execute remote code. With this bug, the attackers can inject arbitrary PHP code that unauthenticated threat actors can execute on WordPress sites using the same plugin. iPhone 16 Will Likely Launch With Big Design Changes Including Different Camera and Button Layout: Reports.
Why is CVE-2023-6553 a critical bug?
According to the reports, the CVE-2023-6553 bug is rated 9.8 on the CVSS vulnerability-severity scale. The plugin can schedule timely backups with different configurations. It reportedly has the ability to define the exact files or database to backup, assign the location and name for the backup, and so on. The reports said the WordPress Backup Migration plugin RCE vulnerability exists in all the versions, including 1.3.7 via the "/includes/backup-heart.php file". Using this flaw or bug in the system, the hackers can execute remote code. Meta Announces New AI-Powered Feature for Ray-Ban Meta Smart Glasses With ‘Look and Ask’ Capability, Currently Limited to UK, US and Canada.
According to WordFence's post on Backup Migration, the CVE-2023-6553 bug titled "Backup Migration <= 1.3.7 - Unauthenticated Remote Code Execution" was discovered by Nex Team on December 11, 2023. The hackers can use the "/includes/backup-heart.php" file to gain unauthorized access to the sensitive data and execute "malicious codes" on the websites. The reports said that after this incident, WordPress released a new version of the plugin called 1.3.8 with a patch that addressed this issue.
(The above story first appeared on LatestLY on Dec 13, 2023 07:30 PM IST. For more news and updates on politics, world, sports, entertainment and lifestyle, log on to our website latestly.com).