Critical Unauthenticated Remote Code Execution Found in Backup Migration Plugin

On December 5th, 2023 Wordfence received a submission for a PHP Code Injection vulnerability in Backup Migration, a WordPress plugin with over 90,000+ active installations. This vulnerability makes it possible for unauthenticated threat actors to inject and execute arbitrary PHP code on WordPress sites that use this plugin.

Wordfence quickly released a firewall rule to paid Wordfence customers on December 6, 2023. Sites still running the free version of Wordfence will receive the same protection 30 days later, on January 5, 2024.

They contacted the BackupBliss team, makers of the Backup Migration plugin, on the same day they released the firewall rule. After providing full disclosure details, the team released a patch just hours later. Kudos to the BackupBliss team for an incredibly swift response and patch.

We urge users to update their sites with the latest patched version of Backup Migration, which is version 1.3.8 at the time of this writing, immediately.

Source and more details: https://www.wordfence.com/blog/2023/12/critical-unauthenticated-remote-code-execution-found-in-backup-migration-plugin/

See also: https://www.bleepingcomputer.com/news/security/50k-wordpress-sites-exposed-to-rce-attacks-by-critical-bug-in-backup-plugin/

Posted in Patched, Updates, Vulnerability.