"Backup Migration WordPress Plugin Flaw Impacts 90,000 Sites"
Security researchers at Wordfence are warning users of a popular WordPress plugin that they need to patch urgently or risk their site being remotely hijacked. The researchers revealed a new PHP code injection vulnerability with a CVSS score of 9.8, which could enable remote code execution (CVE-2023-6553). The impacted plugin, Backup Migration, is said to have an estimated 90,000 installs. The researchers noted that unauthenticated threat actors could exploit the bug to inject arbitrary PHP code, resulting in a full site compromise. The researchers stated that the Backup Migration plugin for WordPress is vulnerable to remote code execution in all versions up to and including 1.3.7 via the /includes/backup-heart.php file. The researchers noted that the vulnerability was fixed rapidly by Backup Migration developer BackupBliss within hours of being informed of it on December 6.
Infosecurity reports: "Backup Migration WordPress Plugin Flaw Impacts 90,000 Sites"