Generic filters
Exact matches only
Search in title
Search in content
Filter by Custom Post Type
Filter by Categories

[CVSS 9+] Critical WordPress Backup Plugin Vulnerability


A critical WordPress vulnerability in the Backup Migration plugin, identified as CVE-2023-6553, impacts over 90,000 websites. This flaw allows attackers to gain remote code execution and pose a significant security risk. Nex Team discovered the flaw and reported it to Wordfence under a bug bounty program.

Organisations using the Backup Migration plugin are urged to update to the latest version.

About the Vulnerability

The critical WordPress vulnerability, known as CVE-2023-6553, allows unauthenticated attackers to exploit the Backup Migration plugin in WordPress. By injecting PHP code into the /includes/backup-heart.php file, attackers can gain remote code execution and compromise vulnerable websites. The flaw has an initial CVSS score of 9.8 and poses a significant security risk. Please note that this new vulnerability is not yet available on the NIST NVD, and its CVSS score has not been finalised.

BackupBliss, the development team responsible for the Backup Migration plugin, promptly released version 1.3.8 on the same day after Wordfence reported the vulnerability to them on December 6th.

Despite the prompt release of the patch, approximately 50,000 WordPress websites are still at risk. Please refer to the security advisory of Wordfence for the details about the vulnerability and the remediation.

Call for Action

Immediate Recommended Steps:

  • Update the Backup Migration plugin to version 1.3.8 or later.
  • Back up your website data.
  • Change your WordPress login credentials.

Additional Recommendations:

  • Keep WordPress core, plugins, and themes updated.
  • Use strong passwords for all accounts.
  • Regularly scan your website for vulnerabilities.



Cubic Lighthouse is a cybersecurity publication dedicated to demystifying security, making news actionable, providing deeper thinking about the fundamentals of security, and providing decision-makers and the community at large with the right information to make the right decisions. We will also feature more technical articles and provide personal/family security advice.

©2024 Cubic Consulting, a Smart Security Company for your Business – All Rights Reserved.