Share this article on:
An unpatched Backup Migration plug-in could lead to PHP code injection on WordPress sites.
Bug hunters have uncovered a flaw in a popular WordPress plug-in that could lead to threat actors running code injection attacks on vulnerable websites.
The plug-in in question, Backup Migration, does pretty much what it says on the tin and is installed on more than 90,000 WordPress sites.
The bug was reported to WordPress security specialists WordFence, as part of a recently announced bug bounty program. The Holiday Bug Extravaganza was launched in November, and the Backup Migration bug was reported on 5 December.
WordFence released a firewall rule to protect its own customers on 6 December and also contacted the developers of the vulnerable plug-in, BackupBliss, on the same day. Within hours BackupBliss released its own patch.
“We contacted the BackupBliss team, makers of the Backup Migration plug-in, on the same day we released our firewall rule,” a WordFence spokesperson said in a blog post. “After providing full disclosure details, the team released a patch just hours later. Kudos to the BackupBliss team for an incredibly swift response and patch.”
The bug affects all versions of Backup Migration prior to and including 1.3.7. The most up-to-date version of the plug-in, and the one that addresses the bug, is 1.3.8.
The heart of the issue lies in the plug-in’s /includes/backup-heart.php file. An attacker can control what values are passed to the plug-in in an include via this file, and then use that to launch remote code execution on a WordPress server.
Without patching, servers remain vulnerable, and WordFence is urging users to patch their sites as soon as possible.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.