Connect with us

Hi, what are you looking for?



Attacks Targeting Recent WordPress File Manager Flaw Ramping Up

Attacks targeting a recently addressed vulnerability in the WordPress plugin File Manager are ramping up, warns the Wordfence Threat Intelligence team at WordPress security company Defiant.

Attacks targeting a recently addressed vulnerability in the WordPress plugin File Manager are ramping up, warns the Wordfence Threat Intelligence team at WordPress security company Defiant.

With over 700,000 active installs, File Manager is a highly popular WordPress plugin that provides admins with file and folder management capabilities (copy/paste, delete, download/upload, edit, and archive).

In early September 2020, the plugin’s developer addressed a critical-severity zero-day flaw that was already being actively targeted. Assessed with a CVSS score of 10, the flaw can allow attackers to remotely execute code on a vulnerable installation.

The issue is related to code taken from the elFinder project, with the File Manager developers renaming the elFinder library’s connector.minimal.php.dist file to .php, to have it execute directly. This, however, opened the plugin to attackers.

Nearly two weeks after a patch for the vulnerability was released, multiple threat actors are targeting unpatched installations, Wordfence researchers reveal.

Within days after the zero-day was patched, attackers were targeting over 1.7 million sites, but that number increased to 2.6 million as of September 10.

“We’ve seen evidence of multiple threat actors taking part in these attacks, including minor efforts by the threat actor previously responsible for attacking millions of sites, but two attackers have been the most successful in exploiting vulnerable sites, and at this time, both attackers are password protecting vulnerable copies of the connector.minimal.php file,” Wordfence notes.

Advertisement. Scroll to continue reading.

The most active of the attackers is a Moroccan threat actor referred to as “bajatax,” which modifies the vulnerable connector.minimal.php file to prevent further attacks. This is the first threat actor observed targeting the vulnerability at scale.

Once it manages to compromise a website, the attacker adds code to exfiltrate user credentials using the Telegram messenger’s API. The code is added to the WordPress core user.php file and, if WooCommerce is installed, two more files are modified to steal user credentials.

A second adversary targeting the security flaw is attempting to inject a backdoor into the vulnerable websites, and is protecting the connector.minimal.php file with a password, in an attempt to prevent other infections. However, it appears that the threat actor is using a consistent password across infections.

Two copies of the backdoor are inserted into the infected website, one in the webroot and the other in a randomized writable folder, likely in an attempt to ensure persistence. The attacker leverages the backdoors to modify core WordPress files which would then be abused for monetization purposes, based on the threat actor’s previously observed modus operandi.

On many of the compromised websites, Wordfence discovered malware from multiple adversaries. Attacks targeting the vulnerability were observed originating from more than 370,000 separate IP addresses, with almost no overlaps between the IPs used by the two most active attackers.

“As more and more users update or remove the File Manager plugin, control of any infected sites will likely be split between these two threat actors,” Wordfence notes.

Site administrators are advised to update the File Manager plugin as soon as possible, but also to scan their website for possible compromise and to remove any malicious code they might find.

Related: WordPress ‘File Manager’ Plugin Patches Critical Zero-Day Exploited in Attacks

Related: WordPress Malware Targets WooCommerce Stores

Related: Hackers Can Inject Code Into WordPress Sites via Flaw in Product Review Plugin

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.