A vital unauthenticated distant management execution (RCE) bug in a backup plug-in that is been downloaded greater than 90,000 instances exposes susceptible WordPress websites to takeover — one other instance of the epidemic of threat posed by flawed plug-ins for the website-building platform.
A cadre of vulnerability researchers known as Nex Group found a PHP code-injection vulnerability in Backup Migration, a plug-in that WordPress web site directors can use to facilitate the creation of a backup web site. The bug is tracked as CVE-2023-6553 and rated 9.8 on the CVSS vulnerability-severity scale.
Options of the plug-in embrace the flexibility to schedule backups to happen in a well timed manner and with varied configurations, together with defining precisely which recordsdata and/or databases must be within the backup, the place the backup can be saved, the title of the backup, and many others.
“This vulnerability permits unauthenticated menace actors to inject arbitrary PHP code, leading to a full web site compromise,” Alex Thomas, senior Net purposes vulnerability researcher at Defiant, wrote in a weblog submit for Wordfence about CVE-2023-6553. Wordfence mentioned it blocked 39 assaults focusing on the vulnerability simply within the 24 hours earlier than the submit was written.
The Nex Group researchers submitted the bug to a just lately created bug-bounty program by Wordfence. Wordfence notified BackupBliss, the creators of the Backup Migration plug-in, and a patch was launched hours later.
The corporate additionally awarded Nex Group $2,751 for reporting the bug to its bounty program, which was simply launched on Nov. 8. To date, Wordfence reported there was a optimistic response to its program, with 270 vulnerability researchers registering and practically 130 vulnerability submissions in its first month.
Uncovered to Unauthenticated, Full Website Takeover
With a whole lot of thousands and thousands of internet sites constructed on the WordPress content material administration system (CMS), the platform and its customers symbolize a massive assault floor for menace actors and thus are frequent targets of malicious campaigns. Lots of these come through plug-ins that set up malware and supply a simple solution to expose hundreds and even thousands and thousands of web sites to potential assault. Attackers additionally are inclined to shortly leap on flaws which are found in WordPress.
The RCE flaw arises from “an attacker having the ability to management the values handed to an embrace, and subsequently leverage that to realize distant code-execution,” in keeping with a submit on the Wordfence web site. “This makes it attainable for unauthenticated attackers to simply execute code on the server.”
Particularly, line 118 throughout the /consists of/backup-heart.php file utilized by the Backup Migration plug-in makes an attempt to incorporate bypasser.php from the BMI_INCLUDES listing, in keeping with Wordfence. The BMI_INCLUDES listing is outlined by concatenating BMI_ROOT_DIR with the consists of string on line 64; nevertheless, that BMI_ROOT_DIR is outlined through the content-dir HTTP header on line 62, which creates the flaw.
“Because of this BMI_ROOT_DIR is user-controllable,” Thomas wrote. “By submitting a specially-crafted request, threat-actors can leverage this problem to incorporate arbitrary, malicious PHP code and execute arbitrary instructions on the underlying server within the safety context of the WordPress occasion.”
Patch CVE-2023-6553 in Backup Migration Now
All variations of Backup Migration as much as and together with 1.3.7 through the /consists of/backup-heart.php file are susceptible to the flaw, which is mounted in model 1.3.8. Anybody utilizing the plug-in on a WordPress web site ought to replace it as quickly as attainable to the patched model, in keeping with Wordfence.
“If you realize somebody who makes use of this plug-in on their web site, we advocate sharing this advisory with them to make sure their web site stays safe, as this vulnerability poses a big threat,” in keeping with the Wordfence submit.
