CVE-2023-6553
published 2023-12-15CVE-2023-6553: The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.7 via the /includes/backup-heart.php…
PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
97.85%
99.9th percentile
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.7 via the /includes/backup-heart.php file. This is due to an attacker being able to control the values passed to an include, and subsequently leverage that to achieve remote code execution. This makes it possible for unauthenticated attackers to easily execute code on the server.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| backupbliss | backup_migration | <= 1.3.7 | — |
| inisev | backupbliss_backup_migration_with_free_cloud_storage | <= 1.3.7 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring POST requests to /wp-content/plugins/backup-backup/includes/backup-heart.php containing a Content-Dir HTTP header, which is the attack vector used to control BMI_ROOT_DIR for PHP file inclusion. ↗
- →Alert on POST requests to backup-heart.php with a Content-Dir header containing PHP filter chain strings (e.g. 'php://filter/...' patterns), which is the technique used to prepend a PHP payload to a string evaluated by a require statement. ↗
- →Flag unauthenticated POST requests to backup-heart.php that return HTTP 200 with an empty body and do not contain the string 'Incorrect parameters' — this is the Nuclei template detection condition for a vulnerable/exploited instance. ↗
- →Monitor for creation of random-named .php files (e.g. [a-z]{4}.php) in the /wp-content/plugins/backup-backup/includes/ directory, as the Metasploit module writes the payload character-by-character to a randomly named file before executing it. ↗
- →Detect GET requests to /wp-content/plugins/backup-backup/includes/<random>.php following a POST to backup-heart.php, which is the payload trigger step in the exploit chain. ↗
- →Use the Nuclei template fingerprint check: a GET to /wp-content/plugins/backup-backup/readme.txt returning 200 and containing 'Backup Migration' confirms a potentially vulnerable plugin is installed before probing backup-heart.php. ↗
- ·The vulnerability affects Backup Migration plugin versions up to and including 1.3.7; version 1.3.8 is patched. Detection rules targeting backup-heart.php should be scoped to unpatched installations. ↗
- ·The plugin's WordPress package name is 'backup-backup' (not 'backup-migration'), so filesystem paths and plugin detection queries must use 'backup-backup' as the directory/slug name. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Backup Migration Plugin up to 1.3.7 on WordPress code injection
vuldb·2026-04-11·CVSS 9.8
CVE-2023-6553 [CRITICAL] Backup Migration Plugin up to 1.3.7 on WordPress code injection
A vulnerability, which was classified as critical, has been found in Backup Migration Plugin up to 1.3.7 on WordPress. Impacted is an unknown function. Performing a manipulation results in code injection.
This vulnerability is known as CVE-2023-6553. Remote exploitation of the attack is possible. No exploit is available.
GHSA
GHSA-2rcj-3wpj-27f2: The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
ghsa_unreviewed·2023-12-15
CVE-2023-6553 [CRITICAL] CWE-94 GHSA-2rcj-3wpj-27f2: The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.7 via the /includes/backup-heart.php file. This is due to an attacker being able to control the values passed to an include, and subsequently leverage that to achieve remote code execution. This makes it possible for unauthenticated attackers to easily execute code on the server.
VulnCheck
Backup Migration plugin for WordPress Remote Code Execution
vulncheck·2023·CVSS 9.8
CVE-2023-6553 [CRITICAL] Backup Migration plugin for WordPress Remote Code Execution
Backup Migration plugin for WordPress Remote Code Execution
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.7 via the /includes/backup-heart.php file. This is due to an attacker being able to control the values passed to an include, and subsequently leverage that to achieve remote code execution. This makes it possible for unauthenticated attackers to easily execute code on the server.
Affected: backupbliss backup_migration
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-16&host_type=src&vulnerabi
No detection rules found.
Exploit-DB
WordPress Backup Migration 1.3.7 - Remote Command Execution
exploitdb·2026-03-03·CVSS 9.8
CVE-2023-6553 [CRITICAL] WordPress Backup Migration 1.3.7 - Remote Command Execution
WordPress Backup Migration 1.3.7 - Remote Command Execution
---
# Exploit Title: WordPress Backup Migration 1.3.7 - Remote Command Execution
# Date: 2025-10-26
# Exploit Author: DANG
# Vendor Homepage: https://backupbliss.com/
# Software Link: https://wordpress.org/plugins/backup-backup/
# Version: Backup Migration ≤1.3.7
# Tested on: LINUX
# CVE : CVE-2023-6553
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'WordPress Backup Migration Plugin PHP Filter Chain RCE',
'Description' => %q{
This module exploits an unauth RCE in the WordPress plugin: Backup Migration ( [
'Nex Team', # Vulnerability discovery
'Valentin Lobstein', # PoC
'jheysel-r7' # msfmodule
],
'License' => MSF_
Nuclei
Worpress Backup Migration <= 1.3.7 - Unauthenticated Remote Code Execution
nuclei·CVSS 9.8
CVE-2023-6553 [CRITICAL] Worpress Backup Migration <= 1.3.7 - Unauthenticated Remote Code Execution
Worpress Backup Migration <= 1.3.7 - Unauthenticated Remote Code Execution
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.7 via the /includes/backup-heart.php file. This is due to an attacker being able to control the values passed to an include, and subsequently leverage that to achieve remote code execution. This makes it possible for unauthenticated threat actors to easily execute code on the server.
Template:
id: CVE-2023-6553
info:
name: Worpress Backup Migration <= 1.3.7 - Unauthenticated Remote Code Execution
author: FLX
severity: critical
description: |
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.7 via the /includes/backup-he
Metasploit
WordPress Backup Migration Plugin PHP Filter Chain RCE
metasploit
WordPress Backup Migration Plugin PHP Filter Chain RCE
WordPress Backup Migration Plugin PHP Filter Chain RCE
This module exploits an unauth RCE in the WordPress plugin: Backup Migration (<= 1.3.7). The vulnerability is exploitable through the Content-Dir header which is sent to the /wp-content/plugins/backup-backup/includes/backup-heart.php endpoint. The exploit makes use of a neat technique called PHP Filter Chaining which allows an attacker to prepend bytes to a string by continuously chaining character encoding conversions. This allows an attacker to prepend a PHP payload to a string which gets evaluated by a require statement, which results in command execution.
Bleepingcomputer
50K WordPress sites exposed to RCE attacks by critical bug in backup plugin
blogs_bleepingcomputer·2023-12-11·CVSS 9.8
CVE-2023-6553 [CRITICAL] 50K WordPress sites exposed to RCE attacks by critical bug in backup plugin
## 50K WordPress sites exposed to RCE attacks by critical bug in backup plugin
## Sergiu Gatlan
A critical severity vulnerability in a WordPress plugin with more than 90,000 installs can let attackers gain remote code execution to fully compromise vulnerable websites.
Known as Backup Migration , the plugin helps admins automate site backups to local storage or a Google Drive account.
The security bug (tracked as CVE-2023-6553 and rated with a 9.8/10 severity score ) was discovered by a team of bug hunters known as Nex Team , who reported it to WordPress security firm Wordfence under a recently launched bug bounty program.
It impacts all plugin versions up to and including Backup Migration 1.3.6, and malicious actors can exploit it in low-complexity attacks without user interaction.
C
Greynoiseio
Storm Watch
blogs_greynoiseio
Storm Watch
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
arXiv
AEGIS: White-Box Attack Path Generation using LLMs and Training Effectiveness Evaluation for Large-Scale Cyber Defence Exercises
arxiv_fulltext·2026-01-30
AEGIS: White-Box Attack Path Generation using LLMs and Training Effectiveness Evaluation for Large-Scale Cyber Defence Exercises
AEGIS: White-Box Attack Path Generation using LLMs and
Training Effectiveness Evaluation for Large-Scale Cyber Defence Exercises
Ivan K.\ Tung\,0000-0001-9454-1905, Shi Yu Xiang\,0009-0004-4870-4290, Alex Chien\,0009-0001-9727-2509, Liu Wenkai\,0009-0005-1953-7523, Lawrence Zheng\,0009-0005-9623-3347
Cyber Defence Test and Evaluation Centre (CyTEC),
The Digital and Intelligence Service (DIS), Singapore Armed Forces
## Abstract
Creating attack paths for cyber defence exercises requires substantial expert effort. Existing automation requires vulnerability graphs or exploit sets curated in advance, limiting where it can be applied. We present AEGIS, a system that generates attack paths using LLMs, white-box access, and Monte Carlo Tree Search over real exploit execution. LLM-based searc
arXiv
Microservice Vulnerability Analysis: A Literature Review with Empirical Insights
arxiv_fulltext·2024-07-31
Microservice Vulnerability Analysis: A Literature Review with Empirical Insights
Microservice Vulnerability Analysis: A Literature Review with Empirical Insights
Raveen Kanishka Jayalath*
University of Adelaide, Australia
[email protected]
Hussain Ahmad* *Authors contributed equally to this work. Corresponding author.
University of Adelaide, Australia
[email protected]
Diksha Goel
CSIRO's Data61, Australia
[email protected]
3cmMuhammad Shuja Syed
3cmSLB, USA
[email protected]
Faheem Ullah
University of Adelaide, Australia
[email protected]
plain
## Abstract
Microservice architectures are revolutionizing both small businesses and large corporations, igniting a new era of innovation with their exceptional advantages in maintainability, reusability, and scalability. However, these benefits come w
https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.7/includes/backup-heart.php#L118https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.7/includes/backup-heart.php#L38https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.7/includes/backup-heart.php#L62https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.7/includes/backup-heart.php#L64https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3006541%40backup-backup&new=3006541%40backup-backup&sfp_email=&sfph_mail=https://www.synacktiv.com/en/publications/php-filters-chain-what-is-it-and-how-to-use-ithttps://www.wordfence.com/threat-intel/vulnerabilities/id/3511ba64-56a3-43d7-8ab8-c6e40e3b686e?source=cvehttp://packetstormsecurity.com/files/176638/WordPress-Backup-Migration-1.3.7-Remote-Command-Execution.htmlhttps://plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.7/includes/backup-heart.php#L118https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.7/includes/backup-heart.php#L38https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.7/includes/backup-heart.php#L62https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.7/includes/backup-heart.php#L64https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3006541%40backup-backup&new=3006541%40backup-backup&sfp_email=&sfph_mail=https://www.synacktiv.com/en/publications/php-filters-chain-what-is-it-and-how-to-use-ithttps://www.wordfence.com/threat-intel/vulnerabilities/id/3511ba64-56a3-43d7-8ab8-c6e40e3b686e?source=cve
2023-12-15
Published
Exploited in the wild