WordPress Security Breach: 90,000 Websites at Risk! Update Now!
Attention WordPress users! A critical security vulnerability has been discovered in the Backup Migration plugin, impacting over 90,000 websites. This vulnerability, known as CVE-2023-6553 and rated 9.8/10 in severity, allows attackers to take complete control of your website without any user interaction.
What is the Backup Migration Vulnerability?
The Backup Migration plugin is used by many WordPress users to automate website backups to local storage or Google Drive. However, a flaw in the plugin’s /includes/backup-heart.php file allows malicious actors to inject PHP code and execute arbitrary commands on your server. This essentially grants them complete control over your website.
“This is due to an attacker being able to control the values passed to an include, and subsequently leverage that to achieve remote code execution. This makes it possible for unauthenticated threat actors to easily execute code on the server,” Wordfence said.
What are the risks?
Attackers exploiting this vulnerability can:
- Steal your website content and data
- Inject malicious code to redirect visitors to phishing websites
- Install malware
- Use your website to launch further attacks
How to protect yourself?
Here’s what you need to do to ensure your website is safe:
- Update the Backup Migration plugin to version 1.3.8 or later immediately. This patched version fixes the CVE-2023-6553 vulnerability.
- If you haven’t updated your plugin in a while, make sure to update all your WordPress plugins and themes to the latest versions.
- Use strong passwords for your WordPress account and FTP access.
- Regularly back up your website to a secure location.
