Exploit Title: WordPress Backup Migration 1.3.7 - Remote Command Execution
Date: 2025-10-26
Exploit Author: DANG
Vendor Homepage: https://backupbliss.com/
Software Link: https://wordpress.org/plugins/backup-backup/
Version: Backup Migration ≤1.3.7
Tested on: LINUX
CVE : CVE-2023-6553
This module requires Metasploit: https://metasploit.com/download
Current source: https://github.com/rapid7/metasplo
This vulnerability exposes a systemic weakness in how WordPress plugins handle untrusted input, particularly in headers that bypass traditional authentication checks. The exploit's reliance on PHP filter chaining—a technique that manipulates character encoding to inject code—demonstrates how seemingly obscure features can become attack vectors when combined with poor input validation. The fact that this flaw persisted until late 2023, despite WordPress's security ecosystem, raises questions abou...