CVE-2023-7002: 
WordPress vulnerability analysis and mitigation

The Backup Migration plugin for WordPress contains an OS Command Injection vulnerability (CVE-2023-7002) affecting all versions up to and including 1.3.9. The vulnerability was discovered and reported by Wordfence, with public disclosure on December 22, 2023 (NVD, Wordfence).

The vulnerability exists in the 'url' parameter of the plugin's ajax.php file, which fails to properly validate input. The issue has been assigned a CVSS v3.1 base score of 7.2 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-78: Improper Neutralization of Special Elements used in an OS Command (NVD).

Successful exploitation of this vulnerability could allow authenticated attackers with administrator-level permissions to execute arbitrary commands on the host operating system. This could potentially lead to complete system compromise, allowing attackers to gain control of vulnerable systems (FortiGuard).

Users are advised to upgrade to version 1.4.0 or later of the Backup Migration plugin, which contains patches for this vulnerability. The fix is available through the WordPress plugin repository (WordPress).