Vital WordPress Plug-in RCE Bug Exposes Reams of Web sites to Takeover #Imaginations Hub

Image source -

A crucial unauthenticated distant management execution (RCE) bug in a backup plug-in that is been downloaded greater than 90,000 occasions exposes weak WordPress websites to takeover — one other instance of the epidemic of threat posed by flawed plug-ins for the website-building platform.

A cadre of vulnerability researchers referred to as Nex Crew found a PHP code-injection vulnerability in Backup Migration, a plug-in that WordPress web site directors can use to facilitate the creation of a backup web site. The bug is tracked as CVE-2023-6553 and rated 9.8 on the CVSS vulnerability-severity scale.

Options of the plug-in embrace the power to schedule backups to happen in a well timed method and with varied configurations, together with defining precisely which recordsdata and/or databases must be within the backup, the place the backup will probably be saved, the title of the backup, and many others.

“This vulnerability permits unauthenticated menace actors to inject arbitrary PHP code, leading to a full web site compromise,” Alex Thomas, senior Internet functions vulnerability researcher at Defiant, wrote in a weblog submit for Wordfence about CVE-2023-6553. Wordfence stated it blocked 39 assaults concentrating on the vulnerability simply within the 24 hours earlier than the submit was written.

The Nex Crew researchers submitted the bug to a just lately created bug-bounty program by Wordfence. Wordfence notified BackupBliss, the creators of the Backup Migration plug-in, and a patch was launched hours later.

The corporate additionally awarded Nex Crew $2,751 for reporting the bug to its bounty program, which was simply launched on Nov. 8. To date, Wordfence reported there was a optimistic response to its program, with 270 vulnerability researchers registering and practically 130 vulnerability submissions in its first month.

Uncovered to Unauthenticated, Full Web site Takeover

With a whole bunch of hundreds of thousands of internet sites constructed on the WordPress content material administration system (CMS), the platform and its customers symbolize a massive assault floor for menace actors and thus are frequent targets of malicious campaigns. Lots of these come by way of plug-ins that set up malware and supply a simple strategy to expose 1000’s and even hundreds of thousands of web sites to potential assault. Attackers additionally are likely to shortly bounce on flaws which are found in WordPress.

The RCE flaw arises from “an attacker with the ability to management the values handed to an embrace, and subsequently leverage that to realize distant code-execution,” in keeping with a submit on the Wordfence web site. “This makes it potential for unauthenticated attackers to simply execute code on the server.”

Particularly, line 118 throughout the /contains/backup-heart.php file utilized by the Backup Migration plug-in makes an attempt to incorporate bypasser.php from the BMI_INCLUDES listing, in keeping with Wordfence. The BMI_INCLUDES listing is outlined by concatenating BMI_ROOT_DIR with the contains string on line 64; nonetheless, that BMI_ROOT_DIR is outlined by way of the content-dir HTTP header on line 62, which creates the flaw.

“Which means that BMI_ROOT_DIR is user-controllable,” Thomas wrote. “By submitting a specially-crafted request, threat-actors can leverage this challenge to incorporate arbitrary, malicious PHP code and execute arbitrary instructions on the underlying server within the safety context of the WordPress occasion.”

Patch CVE-2023-6553 in Backup Migration Now

All variations of Backup Migration as much as and together with 1.3.7 by way of the /contains/backup-heart.php file are weak to the flaw, which is mounted in model 1.3.8. Anybody utilizing the plug-in on a WordPress web site ought to replace it as quickly as potential to the patched model, in keeping with Wordfence.

“If you understand somebody who makes use of this plug-in on their web site, we suggest sharing this advisory with them to make sure their web site stays safe, as this vulnerability poses a big threat,” in keeping with the Wordfence submit.

Related articles

You may also be interested in