CVE-2023-6553

🗓️ 15 Dec 2023 10:59:46Reported by WordfenceType

cve🔗 web.nvd.nist.gov📰️ 7 Media mentions👁 158 Views🌐 WEB

"WordPress Backup Migration plugin 1.3.7 RCE vulnerability

Reporter	Title	Published	Views	Family All 34
0day.today	WordPress Backup Migration 1.3.7 Remote Code Execution Vulnerability	12 Dec 202300:00	–	zdt
0day.today	WordPress Backup Migration 1.3.7 Remote Command Execution Exploit	21 Jan 202400:00	–	zdt
GithubExploit	Exploit for CVE-2023-6553	13 Dec 202320:26	–	githubexploit
GithubExploit	Exploit for CVE-2023-6553	29 Jun 202417:01	–	githubexploit
GithubExploit	Exploit for Code Injection in Backupbliss Backup_Migration	31 May 202618:50	–	githubexploit
GithubExploit	Exploit for CVE-2023-6553	27 Dec 202314:14	–	githubexploit
GithubExploit	Exploit for CVE-2023-6553	7 Nov 202403:28	–	githubexploit
GithubExploit	Exploit for Code Injection in Backupbliss Backup_Migration	10 Apr 202613:46	–	githubexploit
BDU FSTEC	The vulnerability of the Backup Migration plugin of the WordPress content management system allows a hacker to execute arbitrary code.	21 Dec 202300:00	–	bdu_fstec
Circl	CVE-2023-6553	12 Dec 202317:10	–	circl

NVD

Vulners

Node

backupbliss backup_migrationRange≤1.3.7wordpress

[
  {
    "vendor": "inisev",
    "product": "BackupBliss – Backup & Migration with Free Cloud Storage",
    "versions": [
      {
        "version": "0",
        "status": "affected",
        "lessThanOrEqual": "1.3.7",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Source	Link
plugins	www.plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.7/includes/backup-heart.php
plugins	www.plugins.trac.wordpress.org/changeset
plugins	www.plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.7/includes/backup-heart.php
plugins	www.plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.7/includes/backup-heart.php
wordfence	www.wordfence.com/threat-intel/vulnerabilities/id/3511ba64-56a3-43d7-8ab8-c6e40e3b686e
synacktiv	www.synacktiv.com/en/publications/php-filters-chain-what-is-it-and-how-to-use-it
plugins	www.plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.7/includes/backup-heart.php
packetstormsecurity	www.packetstormsecurity.com/files/176638/WordPress-Backup-Migration-1.3.7-Remote-Command-Execution.html

Parameter	Position	Path	Description	CWE
Content-Dir	header	wp-content/plugins/backup-backup/includes/backup-heart.php	Unauthenticated Remote Code Execution via attacker-controlled Content-Dir header leading to include() of arbitrary PHP code	CWE-94

17 Jun 2026 06:50Current

9.8High risk

Vulners AI Score9.8

CVSS 3.19.8

EPSS0.97846

SSVC