Skip to content

Critical flaw in Backup Migration plugin exposes over 90K websites

  • by
  • 2 min read

Backup Migration, a WordPress plugin with more than 90,000 active installations, has been exposed to a critical PHP Code Injection vulnerability (CVE-2023-6553) that allows threat actors to gain remote, unauthorised access to the WordPress sites employing the compromised plugin.

Cybersecurity researchers from Wordfence found the vulnerability on December 5, 2023. The vulnerability is rated as critical with a CVSS score of 9.8. The flaw allows malicious actors to exploit the ‘/includes/backup-heart.php’ file, enabling them to control values passed to an include and execute remote code.

In line 118 of the code, there’s an attempt to bring in a file, bypasser.php, from the BMI_INCLUDES directory. This directory’s location is determined by combining BMI_ROOT_DIR with the ‘includes’ string on line 64. BMI_ROOT_DIR is established using the content-dir HTTP header on line 62.

More in-depth technical analysis revealed that the vulnerability stems from the user-controllable ‘BMI_ROOT_DIR’, allowing threat actors to inject unauthorised and potentially harmful PHP code, enabling arbitrary code execution (RCE).

Source: Wordfence

Responding to the threat, Wordfence released a firewall rule on December 6 for premium customers. Users of the free version of Wordfence will receive the same protection on January 5, 2024.

Upon discovering the vulnerability, Wordfence promptly contacted the developers of the Backup Migration plugin, who then released the latest update, 1.3.8, to patch the flaw.

“By submitting a specially-crafted request, threat actors can leverage this issue to include arbitrary, malicious PHP code and execute arbitrary commands on the underlying server in the security context of the WordPress instance,” said researchers.

In November, another WordPress plugin, UserPro, was exposed to multiple vulnerabilities, allowing hackers to perform privilege escalation attacks, bypass authentication, and forge passwords.

In July, a major flaw was discovered in the AIOS security plugin due to a bug in that version. Before that, researchers found that the Advanced Custom Fields (ACF) plugin, installed on over two million websites, was vulnerable to cross-site scripting (XSS) attacks.

In the News: Can Google’s Gemini provide an alternative to ChatGPT?

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: