WordPress Plugin Vulnerability Report – Backup Migration – Unauthenticated Remote Code Execution – CVE-2023-6553

Plugin Name: Backup Migration

Key Information:

  • Software Type: Plugin
  • Software Slug: backup-backup
  • Software Status: Active
  • Software Author: migrate
  • Software Downloads: 1,095,099
  • Active Installs: 90,000
  • Last Updated: December 11, 2023
  • Patched Versions: 1.3.8
  • Affected Versions: <= 1.3.7

Vulnerability Details:

  • Name: Backup Migration <= 1.3.7 - Unauthenticated Remote Code Execution
  • Type: Improper Control of Generation of Code ('Code Injection')
  • CVE: CVE-2023-6553
  • CVSS Score: 9.8 (Critical)
  • Publicly Published: December 11, 2023
  • Researcher: Nex Team
  • Description: The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.7 via the /includes/backup-heart.php file. This is due to an attacker being able to control the values passed to an include, and subsequently leverage that to achieve remote code execution. This makes it possible for unauthenticated attackers to easily execute code on the server.


The Backup Migration plugin for WordPress has a critical vulnerability in versions up to and including 1.3.7 that allows unauthenticated remote code execution. This is due to improper input validation in a PHP file that attackers can exploit to achieve arbitrary code execution. Over 90,000 sites are still running outdated and vulnerable plugin versions. This vulnerability has been patched in version 1.3.8.

Detailed Overview:

Researchers at Nex Team disclosed an unauthenticated RCE flaw affecting the WordPress Backup Migration plugin on December 11th, 2023. By manipulating values passed to include() statements, remote unauthenticated attackers can inject arbitrary PHP code into the /includes/backup-heart.php file and execute it on vulnerable installations. This grants them a foothold to upload malicious scripts and binaries, carry out cybercrime such as credential theft or cryptomining, deface sites, exfiltrate sensitive data, or conduct other malicious activities by leveraging the privileges of the user account under which the web server is running. Over 1 million sites have downloaded Backup Migration and approximately 90,000 active sites remain unpatched and open to exploitation according to publicly reported statistics. All versions prior to 1.3.8 contain the weakness. Site owners and admins are urged to immediately update to the latest release to mitigate this critical remote code execution flaw being actively exploited in the wild.

Advice for Users:

  1. Immediate Action: Update to version 1.3.8 or replace Backup Migration with alternate backup plugins.
  2. Check for Signs of Compromise: Look for unexpected file changes to your plugin folder or site content.
  3. Alternate Plugins: Developers recommend UpdraftPlus Backup as an alternate.
  4. Stay Updated: Enable automatic updates for plugins when available to avoid outdated software.


This high severity vulnerability requires prompt action from Backup Migration users to avoid potential site takeovers. An update has been issued to patch the weakness in the /includes/backup-heart.php file that allows unauthenticated remote code execution. Users should deploy version 1.3.8 immediately to secure WordPress sites against compromise, defacement and other threats from attackers actively attempting to exploit this vulnerability. Enabling automatic updates can help protect against similar threats in the future.




Detailed Report:

Keeping your WordPress website and its plugins up-to-date is crucial for maintaining security and preventing compromise from emerging threats. Unfortunately, a serious vulnerability was recently disclosed in the popular Backup Migration plugin that allows unauthenticated remote code execution (RCE) on affected sites. According to publicly available data, over 90,000 WordPress sites currently still use a vulnerable version of Backup Migration.

Backup Migration is a widely used plugin with over 1 million total downloads that provides backup and migration functionality for WordPress installs. This dangerous security flaw, tracked as CVE-2023-6553, exploits improper input validation in the /includes/backup-heart.php file and affects all versions prior to 1.3.8. By manipulating data passed to include() statements, remote attackers can inject arbitrary PHP code and execute it on vulnerable sites without needing any valid credentials.

If successfully exploited, this vulnerability allows malicious actors to upload dangerous files, install viruses and malware, steal sensitive data, mine cryptocurrency, and deface sites. They can leverage the privileges of the underlying web server user account to gain an initial foothold and then carry out extensive compromise of the entire platform. Over 90,000 sites remain at risk based on usage statistics.

Fortunately, the developer has addressed the issue in Backup Migration version 1.3.8. However, immediate action is required by all site owners and admins still running outdated plugin copies. The following remediation steps are advised:

  1. Update to Backup Migration version 1.3.8, or replace the plugin entirely with a recommended alternative like UpdraftPlus Backup. This will eliminate the remote code execution vulnerability.
  2. Check your site for any signs of existing compromise like unexpected file changes in plugins or site content. Remove anything suspicious.
  3. Enable automatic background updates for plugins whenever available to more quickly apply security patches.

This is the 8th vulnerability to be identified in Backup Migration since November 2021, illustrating the constant risks from outdated plugins. The sheer volume of sites affected underscores how essential proactive security management is, even for time-strapped business owners handling their own WordPress platforms. Don't wait until disaster strikes – securing your website now prevents irreparable damage later. As threats evolve, we urge users not to let their guard down in order to detect and thwart emerging attacks.

Security vulnerabilities like this one demonstrate the importance of having WordPress experts regularly monitor, maintain and update your site. At Your WP Guy, we offer ongoing management to handle updates, security monitoring, backups, uptime and support so you can stop worrying and get back to growing your business.

Let us fully audit your site to check for any signs of this vulnerability or other issues. We'll immediately update any out-of-date plugins and harden your site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 to lock down your online presence.

WordPress Plugin Vulnerability Report – Backup Migration – Unauthenticated Remote Code Execution – CVE-2023-6553 FAQs

Leave a Comment