Security researchers at Wordfence discovered a bug in Backup Migration, a WordPress plugin with over 90,000+ active installations.
This vulnerability makes it possible for unauthenticated threat actors to inject and execute arbitrary PHP code on WordPress sites that use this plugin.
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.7 via the /includes/backup-heart.php file. This is due to an attacker being able to control the values passed to an include, and subsequently leverage that to achieve remote code execution. This makes it possible for unauthenticated threat actors to easily execute code on the server.
Line 118
within the /includes/backup-heart.php
file used by the Backup Migration plugin attempts to include bypasser.php
from the BMI_INCLUDES
directory. The BMI_INCLUDES
directory is defined by concatenating BMI_ROOT_DIR
with the includes
string on line 64
. However, note that BMI_ROOT_DIR
is defined via the content-dir
HTTP header on line 62
.
This means that BMI_ROOT_DIR
is user-controllable. By submitting a specially-crafted request, threat-actors can leverage this issue to include arbitrary, malicious PHP code and execute arbitrary commands on the underlying server in the security context of the WordPress instance.
We urge WordPress users to verify that their sites are updated to the latest patched version of Backup Migration.
Bijay Pokharel
Related posts
Recent Posts
Subscribe
Cybersecurity Newsletter
You have Successfully Subscribed!
Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox. You are also consenting to our Privacy Policy and Terms of Use.