CVE-2023-6553

Name of the Vulnerable Software and Affected Versions Backup Migration plugin for WordPress versions up to, and including, 1.3.7

Description The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.7 via the /includes/backup-heart.php file. This is due to an attacker being able to control the values passed to an include statement, and subsequently leverage that to achieve remote code execution. This makes it possible for unauthenticated attackers to easily execute code on the server. The estimated number of potentially affected devices worldwide is around 50,000 to 90,000 websites.

Recommendations Update the Backup Migration plugin to version 1.3.8 or later to resolve the issue. As a temporary workaround, consider disabling the includes/backup-heart.php file until a patch is available. Restrict access to the vulnerable backup-heart.php file to minimize the risk of exploitation. Avoid using the Backup Migration plugin until the issue is resolved.