WordPress Backup Migration Plugin Remote Code Execution Vulnerability (CVE-2023-6553)

Qualys Security Advisory

WordPress has released security updates to address a critical severity vulnerability Backup Migration Plugin. Tracked as CVE-2023-6553, the vulnerability may allow unauthenticated attackers to inject arbitrary PHP code, resulting in an entire site compromise. The vulnerability has been given a CVSS score of 9.8.

The Nex Team has discovered the vulnerability and reported it to WordPress security firm Wordfence through a recently launched bug bounty program.

WordPress Backup Migration Plugin is an all-in-one solution for migrating from one site to another host or just restoring the local backup. According to WordPress, the plugin has more than 90,000 active installations.

Vulnerability Details

The vulnerability is exploitable through the /includes/backup-heart.php file. Wordfence states, “This is due to an attacker being able to control the values passed to include and subsequently leverage that to achieve remote code execution. This makes it possible for unauthenticated threat actors to execute code on the server easily.”

Affected Versions

The vulnerability affects WordPress Plugin Backup Migration before 1.3.8.


Customers must upgrade to Backup Migration Plugin version 1.3.8 or later to patch this vulnerability.

For more information about the mitigation, please refer to WordPress Security Advisory.

Qualys Detection

Qualys customers can scan their devices with QID 731013 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.