Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

WordPress ‘File Manager’ Plugin Patches Critical Zero-Day Exploited in Attacks

The highly popular WordPress plugin File Manager this week received a patch to address an actively exploited zero-day vulnerability. 

The highly popular WordPress plugin File Manager this week received a patch to address an actively exploited zero-day vulnerability. 

Designed to provide WordPress site admins with copy/paste, edit, delete, download/upload, and archive functionality for both files and folders, File Manager has over 700,000 active installs.  

Assessed with a CVSS score of 10, the recently identified critical security flaw could have allowed an attacker to upload files and execute code remotely on an affected site, Seravo, which discovered the bug, reveals

The hosting service says that File Manager versions prior to 6.9 are affected and that disabling the plugin does not prevent exploitation. 

“We urgently advice everybody using anything less than the latest WP File Manager version 6.9 to update to the latest version or alternatively uninstall the plugin,” Seravo says.

When discovered, the security flaw was being exploited by botnets, Seravo reveals. 

The issue was found to reside in code taken from the elFinder project, a framework meant to provide web apps with file explorer GUI. The code was published as an example, but was added to the WordPress plugin, providing attackers with unauthenticated access to file upload. 

According to Wordfence, the plugin renamed “the extension on the elFinder library’s connector.minimal.php.dist file to .php so it could be executed directly, even though the connector file was not used by the File Manager itself.”

Advertisement. Scroll to continue reading.

With no direct access restrictions, the file was exposed to anyone, but built-in protection in elFinder prevented directory traversal, thus limiting exploitation to the plugins/wp-file-manager/lib/files/ directory only.

Thus, the observed attacks leveraged the upload command to drop PHP files containing webshells to the wp-content/plugins/wp-file-manager/lib/files/ directory, Wordfence explains. 

The firm also reveals that it has observed nearly half a million attempts to exploit the bug within the past several days, but these appear to be probing attempts, with malicious files injected only after that. 

“Attackers can use these types of vulnerabilities to gain privileged access to a website and plant malicious JavaScript code that can steal user data, spread malware or hijack users to nefarious sites. Website owners need to secure their sites using strong multi-factor authentication to minimize the chance of a large data breach. Consumers must continue to safeguard their personal data and monitor their credit history for signs of fraud,” Ameet Naik, security evangelist at PerimeterX, said in an emailed comment.

Related: Hackers Attempted to Steal Credentials From Millions of WordPress Websites

Related: Elementor Plugin Vulnerabilities Exploited to Hack WordPress Sites

Related: Code Injection Vulnerability in ‘Real-Time Find and Replace’ WordPress Plugin

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.