Backup Migration <= 1.3.7 - Unauthenticated Remote Code Execution
Summary
| CVE | CVE-2023-6553 |
|---|---|
| State | PUBLISHED |
| Assigner | Wordfence |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-12-15 11:15:47 UTC |
| Updated | 2026-04-08 18:18:37 UTC |
| Description | The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.7 via the /includes/backup-heart.php file. This is due to an attacker being able to control the values passed to an include, and subsequently leverage that to achieve remote code execution. This makes it possible for unauthenticated attackers to easily execute code on the server. |
Risk And Classification
Primary CVSS: v3.1 9.8 CRITICAL from [email protected]
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Problem Types: CWE-94 | NVD-CWE-noinfo | CWE-94 CWE-94 Improper Control of Generation of Code ('Code Injection')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | [email protected] | Secondary | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | CNA | DECLARED | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Backupbliss | Backup Migration | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Inisev | BackupBliss Backup Migration With Free Cloud Storage | affected 1.3.7 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.7/includes/backup-heart.php | af854a3a-2127-422b-91ae-364da2661108 | plugins.trac.wordpress.org | Patch |
| www.synacktiv.com/en/publications/php-filters-chain-what-is-it-and-how-to-use-it | af854a3a-2127-422b-91ae-364da2661108 | www.synacktiv.com | Not Applicable |
| plugins.trac.wordpress.org/changeset | af854a3a-2127-422b-91ae-364da2661108 | plugins.trac.wordpress.org | Patch |
| www.wordfence.com/threat-intel/vulnerabilities/id/3511ba64-56a3-43d7-8ab8-c6e40... | af854a3a-2127-422b-91ae-364da2661108 | www.wordfence.com | Third Party Advisory |
| plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.7/includes/backup-heart.php | af854a3a-2127-422b-91ae-364da2661108 | plugins.trac.wordpress.org | Patch |
| plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.7/includes/backup-heart.php | af854a3a-2127-422b-91ae-364da2661108 | plugins.trac.wordpress.org | Patch |
| plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.7/includes/backup-heart.php | af854a3a-2127-422b-91ae-364da2661108 | plugins.trac.wordpress.org | Patch |
| packetstormsecurity.com/files/176638/WordPress-Backup-Migration-1.3.7-Remote-Command-... | af854a3a-2127-422b-91ae-364da2661108 | packetstormsecurity.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Nex Team (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2023-12-11T00:00:00.000Z | Disclosed |