Vulnerability in Backup Migration | Unauthenticated Remote Code Execution

December 12, 2023

The Backup Migration plugin for WordPress has a flaw that allows attackers via the /includes/backup-heart.php file to remotely execute code on a website in all versions up to and including v1.3.7. This makes it possible for unauthenticated attackers to easily execute code on the server.

Wordfence blocked 39 attacks targeting this vulnerability in the past 24 hours.

PHP Code Injection vulnerability in Backup Migration, a WordPress plugin with over 90,000+ active installations. This vulnerability makes it possible for unauthenticated threat actors to inject and execute arbitrary PHP code on WordPress sites that use this plugin.

Vulnerability Summary from Wordfence Intelligence

Description: Backup Migration <= 1.3.7 backup-backup Unauthenticated Remote Code Execution
Affected Plugin: Backup Migration
Plugin Slug: backup-backup (view on
Affected Versions: <= 1.3.7
CVE ID:CVE-2023-6553
Pending CVSS Score: 9.8 (Critical)
Researcher/s: Nex Team
Fully Patched Version: 1.3.8
Bounty Award: $2,751.00

Improper Control of Generation of Code ('Code Injection')

We urge users to update their sites with the latest patched version of Backup Migration, which is version 1.3.8 at the time of this writing, immediately.


Leave a Reply

Your email address will not be published. Required fields are marked *