50K WordPress sites exposed to RCE attacks by critical bug in backup plugin
11-Dec-23
With over 90,000 installations, a WordPress plugin has a severe severity vulnerability that might allow attackers to take control of affected websites remotely and execute code.
Admins may automate site backups to local storage or a Google Drive account with the use of a plugin called Backup Migration.A group of security researchers called Nex Team found the vulnerability (recorded as CVE-2023-6553 and graded with a 9.8/10 severity level), and they submitted it to WordPress security company Wordfence through a freshly established bug bounty program.It affects all plugin versions, including Backup Migration 1.3.6, and may be used by malevolent actors to launch low-level, user-interruptible assaults.
