Thousands Of WordPress Websites At Risk As Critical Bug Discovered (Image: Unsplash)

A critical vulnerability has been recently identified in the WordPress plugin “Backup Migration.” The vulnerability, impacting over 90,000 installations, can let unauthenticated attackers gain remote code execution (RCE) to fully compromise vulnerable websites.

Backup Migration is a widely used WordPress plugin that helps admins automate site backups to local storage or a Google Drive account. The critical vulnerability, tracked as CVE-2023-6553, was discovered by researchers from Nex Team. They also reported the vulnerability to WordPress security firm Wordfence under a recently launched bug bounty program. Notably, the bug bounty program provides security researchers with financial rewards for finding vulnerabilities.

According to Wordfence, the vulnerability makes it possible for unauthenticated threat actors to inject and execute arbitrary PHP code on WordPress sites that use the Backup Migration plugin. “The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.7 via the /includes/backup-heart.php file,” wrote Wordfence on its blog on December 11. Wordfence has quickly released a firewall rule to protect Wordfence Premium, Wordfence Care, and Wordfence Response customers. Meanwhile, users still using the free version of Wordfence will get the same protection on January 5, 2024.

Wordfence also notified plugin developers about the vulnerability, and they have issued a patch. The security firm also mentioned in its blog that the vulnerability has been fully addressed in version 1.3.8 of the plugin. Wordfence also urged WordPress users to verify that their sites are updated to the latest version of Backup Migration.