December 12, 2023 at 11:53AM
A critical unauthenticated RCE bug in the Backup Migration plug-in for WordPress, tracked as CVE-2023-6553, allows threat actors to execute arbitrary PHP code and compromise sites. Wordfence blocked 39 attacks targeting this vulnerability, prompting a patch release by BackupBliss. All versions up to 1.3.7 are vulnerable; users should update to version 1.3.8 immediately.
The meeting notes highlight a critical vulnerability in the Backup Migration plugin for WordPress, allowing unauthenticated threat actors to execute code and compromise sites. This has prompted a timely response from security researchers and the development community, resulting in the discovery, reporting, and patching of the CVE-2023-6553. The vulnerability’s severity is rated 9.8 on the CVSS scale, and it poses a significant risk to WordPress sites using any version of the Backup Migration plugin up to and including 1.3.7. It’s crucial for site administrators to update the plugin to the patched version, 1.3.8, immediately.
Wordfence blocked 39 attacks targeting the vulnerability within 24 hours, indicating active exploitation in the wild. Furthermore, the recent launch of a bug-bounty program by Wordfence has already seen positive engagement, with 270 vulnerability researchers registering and nearly 130 submissions in its first month. The response from Nex Team, who discovered the vulnerability and reported it to Wordfence’s program, led to the prompt release of a patch and a monetary reward.
The broader context emphasizes the prevalence of security risks associated with flawed plugins in the WordPress ecosystem, with attackers exploiting vulnerabilities to target millions of potentially vulnerable sites. This underlines the importance of vigilant security practices and the proactive patching of known vulnerabilities to mitigate these risks.
In conclusion, site administrators should take immediate action to update the Backup Migration plugin and educate others about the severity of the issue, as it presents a significant risk to the security of WordPress sites.