CVE-2023-6553

CVE Database · CVE-2023-6553

CVE-2023-6553

· CRITICALModified

CVSS v3.1

9.8

EPSS

97.85%

Published

Dec 15, 2023

Modified

Apr 8, 2026

Public PoC / Exploit (3)

All weaponized →

Exploit-DBWordPress Backup Migration 1.3.7 - Remote Command Execution NucleiNuclei detection template TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.7 via the /includes/backup-heart.php file. This is due to an attacker being able to control the values passed to an include, and subsequently leverage that to achieve remote code execution. This makes it possible for unauthenticated attackers to easily execute code on the server.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-94

Affected Products (1)

backupbliss · backup_migrationvulnerable

References (15)

https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.7/includes/backup-heart.php#L118

Patch

https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.7/includes/backup-heart.php#L38

Patch

https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.7/includes/backup-heart.php#L62