CVE-2023-6553

CRITICAL EXPLOITED NUCLEI LAB

WordPress Backup Migration Plugin PHP Filter Chain RCE

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2023-6553 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 9 public exploits from researchers including dangwenjing, Chocapikk, motikan2010, including a Metasploit module exploits/multi/http/wp_backup_migration_php_filter. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits an unauthenticated RCE in WordPress Backup Migration plugin (≤1.3.7) via PHP filter chain manipulation through the Content-Dir header. It writes a payload character-by-character to bypass size limitations and achieves remote code execution.

Description

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.7 via the /includes/backup-heart.php file. This is due to an attacker being able to control the values passed to an include, and subsequently leverage that to achieve remote code execution. This makes it possible for unauthenticated attackers to easily execute code on the server.

Exploits (9)

exploitdb WORKING POC
by dangwenjing · textwebappsmultiple
https://www.exploit-db.com/exploits/52486

This Metasploit module exploits an unauthenticated RCE in WordPress Backup Migration plugin (≤1.3.7) via PHP filter chain manipulation through the Content-Dir header. It writes a payload character-by-character to bypass size limitations and achieves remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress Backup Migration plugin ≤1.3.7
No auth needed
Prerequisites: WordPress installation with vulnerable Backup Migration plugin · Network access to the target
devstral-2 · analyzed May 15, 2026 Full analysis →
nomisec WORKING POC 80 stars
by Chocapikk · remote
https://github.com/Chocapikk/CVE-2023-6553

This repository contains a functional Python exploit for CVE-2023-6553, targeting the Backup Migration WordPress plugin. The exploit leverages a file inclusion vulnerability in `/includes/backup-heart.php` to achieve unauthenticated remote code execution (RCE) via PHP filter chains.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Backup Migration WordPress plugin (versions up to and including 1.3.7)
No auth needed
Prerequisites: Target must have the vulnerable Backup Migration plugin installed · Network access to the target WordPress site
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 4 stars
by motikan2010 · remote
https://github.com/motikan2010/CVE-2023-6553-PoC

This repository contains a functional exploit for CVE-2023-6553, demonstrating an unauthenticated LFI to RCE vulnerability in the Backup Migration WordPress plugin. The exploit leverages PHP filter chains to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Backup Migration WordPress Plugin
No auth needed
Prerequisites: Target must have the vulnerable Backup Migration plugin installed and accessible
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 2 stars
by 0x00phantom-hat · poc
https://github.com/0x00phantom-hat/CVE-2023-6553-RCE-Exploit

This repository contains functional exploit code for CVE-2023-6553, an unauthenticated RCE vulnerability in the WordPress Backup Migration plugin (≤1.3.7). The exploit leverages a PHP filter chain via the Content-Dir header to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress Backup Migration plugin ≤1.3.7
No auth needed
Prerequisites: Python 3.8+ · Rich library for output formatting
devstral-2 · analyzed Apr 14, 2026 Full analysis →
nomisec WORKING POC 1 stars
by Aliyankhan-source · poc
https://github.com/Aliyankhan-source/CVE-2023-6553-RCE-Fancy-Exploit

This repository contains functional exploit code for CVE-2023-6553, an unauthenticated RCE vulnerability in the WordPress Backup Migration plugin (≤1.3.7). The exploit leverages a PHP filter chain via the Content-Dir header to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress Backup Migration plugin (≤1.3.7)
No auth needed
Prerequisites: Python 3.8+ · target running vulnerable plugin version
devstral-2 · analyzed Apr 11, 2026 Full analysis →
nomisec WORKING POC
by joaoaugustom · poc
https://github.com/joaoaugustom/WordPress_Backup_Migration-RCE_Unauthenticated

This repository contains a functional exploit for CVE-2023-6553, an unauthenticated RCE vulnerability in the WordPress Backup Migration plugin (<=1.3.7). The exploit leverages a PHP filter chain to write a webshell and includes both interactive shell and reverse shell capabilities.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress Backup Migration plugin <=1.3.7
No auth needed
Prerequisites: Target running vulnerable WordPress Backup Migration plugin · Network access to the target
devstral-2 · analyzed Jun 01, 2026 Full analysis →
nomisec WORKING POC
by Harshit-Mashru · remote
https://github.com/Harshit-Mashru/CVE-2023-6553

This repository contains a functional exploit for CVE-2023-6553, a critical unauthenticated remote code execution vulnerability in the WordPress Backup plugin (versions <= 1.3.7). The exploit leverages PHP filter chains to bypass restrictions and achieve RCE via crafted HTTP requests.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress Backup plugin <= 1.3.7
No auth needed
Prerequisites: Vulnerable WordPress Backup plugin installed · Network access to the target WordPress site
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by cc3305 · remote
https://github.com/cc3305/CVE-2023-6553

This repository contains a functional Python exploit for CVE-2023-6553, targeting the Backup Migration WordPress plugin. The exploit leverages a PHP filter chain to achieve unauthenticated remote code execution via a vulnerable include statement in backup-heart.php.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Backupbliss Backup Migration (WordPress) <= 1.3.7
No auth needed
Prerequisites: Target must have the vulnerable plugin installed · PHP filter chain generator dependency
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Nex Team, Valentin Lobstein, jheysel-r7 · rubypocphp
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/wp_backup_migration_php_filter.rb

This Metasploit module exploits an unauthenticated RCE vulnerability in the WordPress Backup Migration plugin (versions <= 1.3.7) via PHP filter chaining. It sends a malicious payload through the Content-Dir header to achieve remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress Backup Migration Plugin <= 1.3.7
No auth needed
Prerequisites: Target must have the vulnerable plugin installed and active · PHP filter functions must be enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Worpress Backup Migration <= 1.3.7 - Unauthenticated Remote Code Execution
CRITICALby FLX
Shodan: http.html:/wp-content/plugins/backup-backup/
FOFA: body=/wp-content/plugins/backup-backup/

References (8)

Core 8
Core References

Scores

CVSS v3 9.8
EPSS 0.9785
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Lab Environment

COMMUNITY
Community Lab
docker pull wordpress:latest
+5 more repos

Details

VulnCheck KEV 2023-12-16
CWE
CWE-94
Status published
Products (2)
backupbliss/backup_migration < 1.3.7
inisev/BackupBliss – Backup & Migration with Free Cloud Storage < 1.3.7
Published Dec 15, 2023
Tracked Since Feb 18, 2026