Exploits

Unauth RCE in WordPress Backup Plugin

Published  ·  3 min read

In 2026, there is still an active known vulnerability on many WordPress sites that have seen extensive exploitation (both public and through Metasploit) and it is easy to find.

CVE-2023-6553 is a vulnerability of the Backup Migration plugin (package name: backup-backup) in all versions prior to and including 1.3.7. This plugin, used by tens of thousands of sites for quick backups and migrations, had a flaw that let anyone with network access to your site execute arbitrary PHP code, no login, no privileges, nothing.

The trick? The HTTP Content-Dir header was misused by attackers to compromise the backup-heart.php script located in the wp-content/plugins/backup-backup/includes directory of WordPress. Attackers were able to encode a special character, which resulted in them being able to execute arbitrary code via the include() and require() statements of this script due to how PHP handles its filters (filters chain multiple filter types together using a technique known as filter chaining). The result: full remote code execution (RCE) on the server.

Wordfence disclosed it in December 2023 after researchers from the Nex Team found it through their bug bounty program. It earned a perfect CVSS 9.8 Critical rating: network attack, low complexity, no privileges needed, no user interaction. Public PoCs appeared quickly (GitHub repos, Exploit-DB ID 52486), and by early 2024 a clean Metasploit module was committed that automates the whole thing—writing the payload character-by-character to disk via tiny fwrite calls, then triggering it.

After releasing Version 1.3.8 (online in 2023), the vendor quickly patched it to tighten header value handling and prevent filter-chain manipulation. As of now (2026), fixed versions are still available on wordpress.org and the changeset has been made public to allow others to excel in confirming their accuracy.

However, here is the honest truth; many WordPress websites still run old plugins with no updates for many years. Backup tools especially get left behind because "it still works" and people forget to update. With active exploits floating around and attackers scanning for vulnerable installs, this one hasn't aged out of relevance.

What site owners should do right now:
1. Log in to your Word press admin, and click on Plug Ins, and search for 'Backup Migration' or 'backup-backup' Plug In.
2. If you've installed either Plug In before version 1-3-7 or older, you'll want to immediately upgrade. If it's already installed but inactive; then you'll want to deactivate/delete
the Plug In.
3. If you don't remember the version of your Plug In, go to Installed Plugin section of your admin dashboard or check its README.TXT file.
4. If you haven't done so already, you should enable auto-updates for your plugins.
5. It is also a good idea to run a quick scan on your site using tools like Wordfence, Sucuri, or WPScan to ensure no backdoors were dropped on your site during its period of vulnerability.
6. Check your server logs for any strange POST requests being sent to the backup-heart.php file that have been sent with unusually large Content-Dir header size values.

This vulnerability demonstrates how plugins such as backup plugins can be used as an open door into your server/network. The PHP filter chain technique is elegant and scary, it's the kind of thing that makes defenders appreciate just how creative exploitation can get.

If your site uses any backup/migration plugin, treat updates as non-optional. One missed patch can turn a quiet blog into someone else's playground. Better to spend five minutes updating than days cleaning up afterward.

Source: Exploit DB

Professional Services

Explore Our Cybersecurity Services

Our insights are backed by hands-on service delivery. If your business needs professional cybersecurity support, our UK-based specialists are ready to help.

© 2016 – 2026 Red Secure Tech Ltd. Registered in England and Wales — Company No: 15581067