Over 90,000 websites are currently at risk of potential hacking due to a critical vulnerability discovered in the WordPress Backup Migration Plugin. This security flaw, known as CVE-2023-6553, allows for unauthenticated remote code execution, making it easier for malicious actors to compromise these websites. The vulnerability was identified by researchers from Nex Team as part of the Wordfence Bug Bounty program, and it has been assigned a severity score of 9.8.
The critical nature of this vulnerability lies in its ability to enable remote code execution, which means that attackers can inject arbitrary PHP code into WordPress sites utilizing the affected plugin. This code can then be executed by threat actors without authentication, posing a significant security risk.
The flaw affects all versions of WordPress Backup Migration plugin up to and including version 1.3.7. It resides in the /includes/backup-heart.php file, granting attackers unauthorized access to sensitive data and enabling the execution of malicious code on the targeted websites.
Remote Code Execution (RCE) is the process by which attackers exploit vulnerabilities to gain control of a target computer and execute commands on it remotely. In this case, RCE can allow hackers to take control of websites using the vulnerable plugin.
Fortunately, WordPress has responded to this security issue by releasing a new version of the plugin, version 1.3.8, which includes a patch to address the vulnerability. Website owners are strongly advised to update the plugin to the latest version promptly to prevent potential exploitation of this security flaw and protect their websites from unauthorized access and code execution.
