A critical vulnerability in the Backup Migration plugin for WordPress has exposed over 50,000 websites to remote code execution (RCE) attacks. The security flaw, tracked as CVE-2023-6553, allows unauthenticated attackers to take control of targeted websites by injecting malicious PHP code. The vulnerability affects all versions of the plugin up to and including Backup Migration 1.3.6. The developers have released a patch, but nearly 50,000 vulnerable WordPress sites have yet to be secured. WordPress administrators are also being targeted by a phishing campaign using fake security advisories.
PaperCut's NG/MF print management software has fixed a critical security vulnerability (CVE-2023-39143) that allows unauthenticated attackers to execute remote code on unpatched Windows servers. The flaw stems from two path traversal weaknesses, enabling threat actors to manipulate files on compromised systems. While the vulnerability only affects non-default server configurations, it is estimated that most PaperCut installations have the affected setting enabled. Admins are advised to install security updates promptly or restrict access through IP allowlisting. Previously, PaperCut servers were targeted by ransomware gangs exploiting other vulnerabilities, leading to data theft and attacks by state-backed hacking groups.
