Security Experts:

Connect with us

Hi, what are you looking for?



WordPress ‘File Manager’ Plugin Patches Critical Zero-Day Exploited in Attacks

The highly popular WordPress plugin File Manager this week received a patch to address an actively exploited zero-day vulnerability. 

The highly popular WordPress plugin File Manager this week received a patch to address an actively exploited zero-day vulnerability. 

Designed to provide WordPress site admins with copy/paste, edit, delete, download/upload, and archive functionality for both files and folders, File Manager has over 700,000 active installs.  

Assessed with a CVSS score of 10, the recently identified critical security flaw could have allowed an attacker to upload files and execute code remotely on an affected site, Seravo, which discovered the bug, reveals

The hosting service says that File Manager versions prior to 6.9 are affected and that disabling the plugin does not prevent exploitation. 

“We urgently advice everybody using anything less than the latest WP File Manager version 6.9 to update to the latest version or alternatively uninstall the plugin,” Seravo says.

When discovered, the security flaw was being exploited by botnets, Seravo reveals. 

The issue was found to reside in code taken from the elFinder project, a framework meant to provide web apps with file explorer GUI. The code was published as an example, but was added to the WordPress plugin, providing attackers with unauthenticated access to file upload. 

According to Wordfence, the plugin renamed “the extension on the elFinder library’s connector.minimal.php.dist file to .php so it could be executed directly, even though the connector file was not used by the File Manager itself.”

With no direct access restrictions, the file was exposed to anyone, but built-in protection in elFinder prevented directory traversal, thus limiting exploitation to the plugins/wp-file-manager/lib/files/ directory only.

Thus, the observed attacks leveraged the upload command to drop PHP files containing webshells to the wp-content/plugins/wp-file-manager/lib/files/ directory, Wordfence explains. 

The firm also reveals that it has observed nearly half a million attempts to exploit the bug within the past several days, but these appear to be probing attempts, with malicious files injected only after that. 

“Attackers can use these types of vulnerabilities to gain privileged access to a website and plant malicious JavaScript code that can steal user data, spread malware or hijack users to nefarious sites. Website owners need to secure their sites using strong multi-factor authentication to minimize the chance of a large data breach. Consumers must continue to safeguard their personal data and monitor their credit history for signs of fraud,” Ameet Naik, security evangelist at PerimeterX, said in an emailed comment.

Related: Hackers Attempted to Steal Credentials From Millions of WordPress Websites

Related: Elementor Plugin Vulnerabilities Exploited to Hack WordPress Sites

Related: Code Injection Vulnerability in ‘Real-Time Find and Replace’ WordPress Plugin

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet