Critical Unauthenticated Remote Code Execution Found in Backup Migration Plugin
🎁 Wordfence just launched its bug bounty program. Through December 20th 2023, all researchers will earn 6.25x our normal bounty rates when Wordfence handles responsible disclosure for our Holiday Bug Extravaganza! The researcher who reported this vulnerability was awarded $2,751.00! Register as a researcher and submit your vulnerabilities today! 🎁
On November 8th, 2023, Wordfence launched a Bug Bounty Program to help support our mission in securing the web. In only a month’s time, we have had over 270 vulnerability researchers register and submit almost 130 vulnerabilities!
On December 5th, 2023, shortly after the launch of our Holiday Bug Extravaganza, we received a submission for a PHP Code Injection vulnerability in Backup Migration, a WordPress plugin with over 90,000+ active installations. This vulnerability makes it possible for unauthenticated threat actors to inject and execute arbitrary PHP code on WordPress sites that use this plugin.
We quickly released a firewall rule to protect Wordfence Premium, Wordfence Care, and Wordfence Response customers on December 6, 2023. Sites still running the free version of Wordfence will receive the same protection 30 days later, on January 5, 2024.
We contacted the BackupBliss team, makers of the Backup Migration plugin, on the same day we released our firewall rule. After providing full disclosure details, the team released a patch just hours later. Kudos to the BackupBliss team for an incredibly swift response and patch.
We urge users to update their sites with the latest patched version of Backup Migration, which is version 1.3.8 at the time of this writing, immediately.
Vulnerability Summary from Wordfence Intelligence
Description: Backup Migration
Source: wordfence.com