Exploit for Code Injection in Backupbliss Backup_Migration CVE-2023-6553

Name: Exploit for Code Injection in Backupbliss Backup_Migration CVE-2023-6553
Rating: 5 (155 reviews)
2026-04-10 | CVSS 9.8
## https://sploitus.com/exploit?id=F255DC4B-9E11-590F-9C3D-A5BE6EE8EAC0
# 🔥 CVE-2023-6553 — WordPress Backup Migration RCE

### Unauthenticated Remote Code Execution via PHP Filter Chain

[![CVE](https://img.shields.io/badge/CVE-2023--6553-red?style=for-the-badge)](https://nvd.nist.gov/vuln/detail/CVE-2023-6553)
[![CVSS](https://img.shields.io/badge/CVSS-9.8%20Critical-darkred?style=for-the-badge)](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2023-6553&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.1)
[![Python](https://img.shields.io/badge/Python-3.8%2B-blue?style=for-the-badge&logo=python&logoColor=white)](https://python.org)
[![License](https://img.shields.io/badge/License-Educational-yellow?style=for-the-badge)]()



> **Proof of Concept exploit for CVE-2023-6553 — a critical unauthenticated RCE vulnerability in the WordPress "Backup Migration" plugin (versions ≤ 1.3.7).**



---

## 📋 Vulnerability Overview

| Property | Detail |
|---|---|
| **CVE ID** | [CVE-2023-6553](https://nvd.nist.gov/vuln/detail/CVE-2023-6553) |
| **CVSS Score** | **9.8 / 10 — Critical** |
| **CVSS Vector** | `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` |
| **CWE** | [CWE-94](https://cwe.mitre.org/data/definitions/94.html) — Improper Control of Generation of Code |
| **Affected Plugin** | [Backup Migration](https://wordpress.org/plugins/backup-backup/) (slug: `backup-backup`) |
| **Affected Versions** | ≤ 1.3.7 |
| **Authentication** | **None required** (Unauthenticated) |
| **Discovered By** | [Wordfence](https://www.wordfence.com/threat-intel/vulnerabilities/id/3511ba64-56a3-43d7-8ab8-c6e40e3b686e) |

---

## 🧠 Technical Description

The **Backup Migration** plugin for WordPress is vulnerable to **Remote Code Execution** in all versions up to, and including, **1.3.7** via the `/includes/backup-heart.php` file.

The vulnerability exists because an attacker can control the values passed to a PHP `include` statement through the `Content-Dir` HTTP header. By leveraging a **PHP filter chain**, an attacker can inject arbitrary PHP code without authentication — achieving full Remote Code Execution on the server.

# Case Study 
https://medium.com/@phantom_hat/cve-2023-6553-wordpress-backup-migration-1-3-7-case-study-31cb8275274b

### Attack Flow

```
┌──────────┐    Content-Dir Header    ┌──────────────────────┐    include()    ┌──────────┐
│ Attacker │ ──── PHP Filter Chain ──▶│  backup-heart.php    │ ──────────────▶ │   RCE    │
│          │    (no auth needed)      │  (vulnerable file)   │                 │  on Host │
└──────────┘                          └──────────────────────┘                 └──────────┘
```

1. **Reconnaissance** — Detect the installed plugin version via `readme.txt`
2. **Payload Generation** — Construct a PHP filter chain that resolves to arbitrary PHP code
3. **Exploit Delivery** — Send the crafted chain in the `Content-Dir` header to the vulnerable endpoint
4. **Command Execution** — Execute OS commands through a deployed webshell

---

## 🗂️ Repository Structure

```
.
├── exploit.py              # 🎯 Clean, professional exploit (verbose mode supported)
├── fancy_exploit.py        # ✨ Fancy version — same exploit, better vibes
├── php_filter_chain.py     # 🔗 PHP filter chain generator module
└── README.md               # 📖 You are here
```

### `exploit.py` — Professional Exploit

The primary, clean exploit script designed for professional use in security assessments and case studies. Features include:

- Clean, structured terminal output using [Rich](https://github.com/Textualize/rich)
- Phased execution (Recon → Payload → Delivery → Execution)
- Verbose mode (`-v`) for detailed operational output
- Vulnerability check-only mode (`-C`)
- Exploit summary table on completion

### `fancy_exploit.py` — The Fancy Version ✨

A more expressive version of the same exploit with extra personality. Functionally identical to `exploit.py` but with a much more colorful presentation:

- 🎨 Colorful, rainbow-styled terminal output
- 🎭 Random kaomoji reactions (success, failure, attack faces)
- 🖼️ ASCII art banner
- 💎 Emoji-enhanced logging (💀 errors, ✨ successes, 🔥 attack phases)
- 📊 Styled mission report summary with emoji indicators

> **Note:** Both scripts share identical attack logic — `fancy_exploit.py` simply wraps the experience in a more visually expressive output layer.

---

## ⚙️ Installation

### Prerequisites

- Python 3.8+
- `pip` package manager

### Setup

```bash
# Clone the repository
git clone https://github.com//CVE-2023-6553.git
cd CVE-2023-6553

# Install dependencies
pip install -r requirements.txt
```

> **Note:** `php_filter_chain.py` is a local module included in the repository — no additional installation needed.

---

## 🚀 Usage

### `exploit.py`



```bash
# Check if a target is vulnerable (recon only)
python3 exploit.py -u http://target.com -C

# Exploit and execute a command
python3 exploit.py -u http://target.com -c id

# Check vulnerability first, then exploit
python3 exploit.py -u http://target.com -C -c whoami

# Verbose mode for detailed output
python3 exploit.py -u http://target.com -c id -v
```

### `fancy_exploit.py`





```bash
# Check if a target is vulnerable
python3 fancy_exploit.py -u http://target.com -C

# Exploit and execute a command
python3 fancy_exploit.py -u http://target.com -c id

# Check first, then exploit if vulnerable
python3 fancy_exploit.py -u http://target.com -C -c whoami
```

### Command-Line Flags

| Flag | Description |
|---|---|
| `-u`, `--url` | **(Required)** Target WordPress URL |
| `-c`, `--command` | OS command to execute post-exploitation |
| `-C`, `--check` | Check vulnerability status without exploiting |
| `-v`, `--verbose` | Enable verbose output *(exploit.py only)* |

---

## 📸 Exploit Phases

| Phase | Name | Description |
|:---:|---|---|
| **1** | 🔍 Reconnaissance | Fetches `readme.txt` to detect the installed plugin version |
| **2** | 🧪 Payload Generation | Builds a PHP filter chain that decodes to a webshell dropper |
| **3** | 💣 Exploit Delivery | Sends the payload to `backup-heart.php` via `Content-Dir` header |
| **4** | 🚀 Command Execution | Triggers the deployed webshell with the specified OS command |

---

## 🔗 References

- **NVD:** https://nvd.nist.gov/vuln/detail/CVE-2023-6553
- **Wordfence Advisory:** https://www.wordfence.com/threat-intel/vulnerabilities/id/3511ba64-56a3-43d7-8ab8-c6e40e3b686e
- **Vulnerable Source (L118):** https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.7/includes/backup-heart.php#L118
- **PHP Filter Chains (Synacktiv):** https://www.synacktiv.com/en/publications/php-filters-chain-what-is-it-and-how-to-use-it
- **PacketStorm:** http://packetstormsecurity.com/files/176638/WordPress-Backup-Migration-1.3.7-Remote-Command-Execution.html
- **Patch Changeset:** https://plugins.trac.wordpress.org/changeset?old=3006541%40backup-backup&new=3006541%40backup-backup

---

## 🛡️ Remediation

- **Update** the Backup Migration plugin to version **1.3.8** or later
- **Remove** the plugin entirely if it is not in active use
- **Implement** a Web Application Firewall (WAF) rule to block suspicious `Content-Dir` headers
- **Audit** server logs for indicators of prior exploitation

---

## ⚠️ Disclaimer

> **This tool is provided for authorized security testing and educational purposes only.**
>
> Unauthorized access to computer systems is illegal under laws including the Computer Fraud and Abuse Act (CFAA), the Computer Misuse Act, and similar legislation worldwide. The author assumes **no liability** for misuse of this software.
>
> Only use this tool against systems you **own** or have **explicit written authorization** to test.

---



**Author:** Phantom Hat

*For authorized penetration testing and security research only.*