WordPress ‘File Manager’ Plugin Patches Critical Zero-Day Exploited in Attacks


The highly popular WordPress plugin File Manager this week received a patch to address an actively exploited zero-day vulnerability. 

Designed to provide WordPress site admins with copy/paste, edit, delete, download/upload, and archive functionality for both files and folders, File Manager has over 700,000 active installs.  

Assessed with a CVSS score of 10, the recently identified critical security flaw could have allowed an attacker to upload files and execute code remotely on an affected site, Seravo, which discovered the bug, reveals

The hosting service says that File Manager versions prior to 6.9 are affected and that disabling the plugin does not prevent exploitation. 

“We urgently advice everybody using anything less than the latest WP File Manager version 6.9 to update to the latest version or alternatively uninstall the plugin,” Seravo says.

When discovered, the security flaw was being exploited by botnets, Seravo reveals. 

The issue was found to reside in code taken from the elFinder project, a framework meant to provide web apps with file explorer GUI. The code was published as an example, but was added to the WordPress plugin, providing attackers with unauthenticated access to file upload. 

According to Wordfence, the plugin renamed “the extension on the elFinder library’s connector.minimal.php.dist file to .php so it could be executed directly, even though the connector file was not used by the File Manager itself.”

With no direct access restrictions, the file was exposed to anyone, but built-in protection in elFinder prevented directory traversal, thus limiting exploitation to the plugins/wp-file-manager/lib/files/ directory only.

Thus, the observed attacks leveraged the upload command to drop PHP files containing webshells to the wp-content/plugins/wp-file-manager/lib/files/ directory, Wordfence explains. 

The firm also reveals that it has observed nearly half a million attempts to exploit the bug within the past several days, but these appear to be probing attempts, with malicious files injected only after that. 

“Attackers can use these types of vulnerabilities to gain privileged access to a website and plant malicious JavaScript code that can steal user data, spread malware or hijack users to nefarious sites. Website owners need to secure their sites using strong multi-factor authentication to minimize the chance of a large data breach. Consumers must continue to safeguard their personal data and monitor their credit history for signs of fraud,” Ameet Naik, security evangelist at PerimeterX, said in an emailed comment.

Related: Hackers Attempted to Steal Credentials From Millions of WordPress Websites

Related: Elementor Plugin Vulnerabilities Exploited to Hack WordPress Sites

Related: Code Injection Vulnerability in ‘Real-Time Find and Replace’ WordPress Plugin

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:
Tags:

Don't forget to share

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *