Description
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.7 via the /includes/backup-heart.php file. This is due to an attacker being able to control the values passed to an include, and subsequently leverage that to achieve remote code execution. This makes it possible for unauthenticated attackers to easily execute code on the server.
Remediation
References
Related Vulnerabilities
Undertow Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2020-1745)
WordPress Other Vulnerability (CVE-2005-2110)
WordPress Plugin WP Activity Log SQL Injection (4.1.4)
WordPress Plugin WooCommerce Cross-Site Scripting (2.0.17)
WordPress Plugin Fusion:Extension-Gallery Multiple Unspecified Vulnerabilities (1.0.4)