Backup Migration Plugin for WordPress

Analysis of network traffic for the period alerted on a generic rule:

“ET EXPLOIT file_put_contents php base64 encoded Remote Code Execution 2.”

The specific URL requested:

http://[redacted].com/wp-content/plugins/backup-backup/includes/backup-heart.php¹.

The payload is fragmented across six frames and reassembled in hopes of avoiding automated forms of analysis.

The vulnerability allows unauthenticated attackers to execute remote code via the /includes/backup-heart.php file¹. This is due to an attacker being able to control the values passed to an include, and subsequently leverage that to achieve remote code execution¹. This makes it possible for unauthenticated attackers to easily execute code on the server¹. 

A critical vulnerability, designated as CVE-2023-6553, was discovered in the Backup Migration plugin for WordPress¹³⁴. This vulnerability impacts all versions up to and including 1.3.7¹. The vulnerability allows unauthenticated attackers to execute remote code via the /includes/backup-heart.php file¹. This is due to an attacker being able to control the values passed to an include, and subsequently leverage that to achieve remote code execution¹. This makes it possible for unauthenticated attackers to easily execute code on the server¹. 

The vulnerability has been given a CVSS score of 9.8, indicating a critical risk¹³⁴. This could result in an entire site compromise⁴. It’s important to note that this vulnerability has impacted over 90,000 installations³. 

Patches for this vulnerability are available¹. It’s recommended to update the plugin to the latest version to mitigate the risk. If you’re using this plugin, please ensure it’s updated to the latest version to protect your site from potential attacks. If you’re unable to update immediately, you might consider deactivating and deleting the plugin until you’re able to apply the security patch². 

Alternative encoding mechanisms are employed to obfuscate the true purpose of the packets.

Source(s) 

1. NVD – CVE-2023-6553 

2. Critical Vulnerability in WordPress Backup Plugin – CVE-2023-6553 

3. WordPress Backup Migration Plugin Remote Code Execution Vulnerability … 

4. 7 WordPress Plugins With Recent Vulnerability Issues – HubSpot Blog 

5. Vulnerability in BackupBuddy Plugin Exploited to Hack WordPress Sites 

6. http://packetstormsecurity.com/files/176638/WordPress-Backup-Migration-1.3.7-Remote-Command-Execution.html 

7. https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.7/includes/backup-heart.php 

8. https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3006541%40backup-backup&new=3006541%40backup-backup&sfp_email=&sfph_mail= 

9. https://www.synacktiv.com/en/publications/php-filters-chain-what-is-it-and-how-to-use-it 

10. https://www.wordfence.com/threat-intel/vulnerabilities/id/3511ba64-56a3-43d7-8ab8-c6e40e3b686e?source=cve