Critical WordPress flaw continues to impact nearly 50K sites

Nearly 50,000 WordPress websites continue to be using versions of the Backup Migration plugin impacted by a critical flaw, tracked as CVE-2023-6553, nearly a week after patches have been released, BleepingComputer reports. Exploiting the vulnerability, which was identified by the Nex Team flaw hunting group, could enable website takeovers through remote code execution even for unauthenticated attackers, a report from Wordfence showed. "By submitting a specially crafted request, threat actors can leverage this issue to include arbitrary, malicious PHP code and execute arbitrary commands on the underlying server in the security context of the WordPress instance," said Wordfence. Such a flaw has emerged following a phishing campaign against WordPress admins that involved the installation of fraudulent plugins to address the fake CVE-2023-45124 vulnerability, as well as the release of patches for a Property Oriented Programming chain bug that could allow arbitrary PHP code execution in particular instances.