[CDP-development] TLP:GREEN (Vulnerability Alert Notification) MS-ISAC ADVISORY 2023-141: A Vulnerability in the Backup Migration Plugin for WordPress Could Allow for Remote Code Execution

CSS Security Operations Services * DAS css-soc-services at das.oregon.gov
Wed Dec 13 10:16:02 PST 2023 

Good morning,

The SOC Services team is reporting on the vulnerability: MS-ISAC ADVISORY 2023-141: A Vulnerability in the Backup Migration Plugin for WordPress Could Allow for Remote Code Execution.  Due to its high visibility, knowledge of the software installed in the state environment, and active exploitations, we are providing this in-depth information:

History: On December 6, 2023, WordPress notified the plugin developer Migrate of a critical vulnerability detected in their Backup Migration plugin as part of its bug bounty program.  Migrate released an update to the plugin to address the vulnerability on the same day.  CVE-2023-6553 is a vulnerability that could allow for remote code execution and is currently assigned a CVSSv3 rating of 9.8 (Critical).  The CVE was established on December 6, 2023.

The following products are affected:

  *   WordPress Plugin Backup Migration by Migrate <= 1.3.7

Patches are available from Migrate to fix the vulnerabilities.  The fixed versions are:

  *   WordPress Plugin Backup Migration by Migrate 1.3.8

Further information is available from Wordfence:

  *   Wordfence Threat Intelligence Vulnerability Database - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/backup-backup/backup-migration-137-unauthenticated-remote-code-execution
  *   Wordfence Blog - https://www.wordfence.com/blog/2023/12/critical-unauthenticated-remote-code-execution-found-in-backup-migration-plugin/


Intelligence: As of December 11, Wordfence is aware that CVE-2023-6553 has been exploited in the wild.  In addition, WordPress administrators are being targeted by a phishing campaign attempting to trick them into installing malicious plugins using fake security advisories (CVE-2023-45124).  The plugin is estimated to have been downloaded 90,000 times.  It is very likely that the exploits will continue to be leveraged by threat actors over the coming months.

Workarounds:  There are no workarounds at this time.

How it works:  An attacker may be able to control values passed to an include PHP file and can later leverage the modifications to achieve remote code execution.

Post-Exploit: Upon successful exploitation of the vulnerabilities, It is possible for unauthenticated threat actors to execute code on the server in the context of the WordPress instance.

No known indicators of compromise have been publicly shared at this time.

As of December 13, 2023 no vulnerability plugins have been released for Tenable Security Center.
Recommended Actions:


  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by vendor to vulnerable systems immediately after appropriate testing.
  *   Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  *   Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  *   Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
  *   Apply the Principle of Least Privilege to all systems and services.


[cid:image001.png at 01D9F1DD.F2FA0BC0]
Cyber Security Services
State of Oregon Cyber Security Services
Enterprise Information Services | SOC
Cyber Security Services (CSS)
SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378
"Ensuring user-friendly, reliable and secure state technology systems that serve Oregonians."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20231213/4a3faf31/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 21907 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20231213/4a3faf31/attachment-0001.png>

More information about the CDP-development mailing list