cbcvebase.
CVE-2023-6553
published 2023-12-15

CVE-2023-6553: The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.7 via the /includes/backup-heart.php…

PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
97.85%
99.9th percentile
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.7 via the /includes/backup-heart.php file. This is due to an attacker being able to control the values passed to an include, and subsequently leverage that to achieve remote code execution. This makes it possible for unauthenticated attackers to easily execute code on the server.

Affected

2 ranges
VendorProductVersion rangeFixed in
backupblissbackup_migration<= 1.3.7
inisevbackupbliss_backup_migration_with_free_cloud_storage<= 1.3.7

Detection & IOCsextracted from sources · hover to see the quote

path/wp-content/plugins/backup-backup/includes/backup-heart.php
path/wp-content/plugins/backup-backup/includes/backup-heart.php
path/wp-content/plugins/backup-backup/readme.txt
otherContent-Dir: <php_filter_chain_payload>
othershodan-query: http.html:/wp-content/plugins/backup-backup/
otherfofa-query: body=/wp-content/plugins/backup-backup/
  • Detect exploitation attempts by monitoring POST requests to /wp-content/plugins/backup-backup/includes/backup-heart.php containing a Content-Dir HTTP header, which is the attack vector used to control BMI_ROOT_DIR for PHP file inclusion.
  • Alert on POST requests to backup-heart.php with a Content-Dir header containing PHP filter chain strings (e.g. 'php://filter/...' patterns), which is the technique used to prepend a PHP payload to a string evaluated by a require statement.
  • Flag unauthenticated POST requests to backup-heart.php that return HTTP 200 with an empty body and do not contain the string 'Incorrect parameters' — this is the Nuclei template detection condition for a vulnerable/exploited instance.
  • Monitor for creation of random-named .php files (e.g. [a-z]{4}.php) in the /wp-content/plugins/backup-backup/includes/ directory, as the Metasploit module writes the payload character-by-character to a randomly named file before executing it.
  • Detect GET requests to /wp-content/plugins/backup-backup/includes/<random>.php following a POST to backup-heart.php, which is the payload trigger step in the exploit chain.
  • Use the Nuclei template fingerprint check: a GET to /wp-content/plugins/backup-backup/readme.txt returning 200 and containing 'Backup Migration' confirms a potentially vulnerable plugin is installed before probing backup-heart.php.
  • ·The vulnerability affects Backup Migration plugin versions up to and including 1.3.7; version 1.3.8 is patched. Detection rules targeting backup-heart.php should be scoped to unpatched installations.
  • ·The plugin's WordPress package name is 'backup-backup' (not 'backup-migration'), so filesystem paths and plugin detection queries must use 'backup-backup' as the directory/slug name.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.