Thousands of WordPress websites at risk thanks to an obscure flaw

Security researchers have discovered that hackers are actively exploiting a vulnerability in the WordPress plugin File Manager which could allow them to execute commands and malicious scripts on websites that have not yet updated to the latest version of the plugin.

As reported by Ars Technica, attackers are leveraging the exploit to upload files containing webshells hidden in images. From there, they can run commands in the directory where the File Manager plugin resides on vulnerable WordPress sites.

File Manager is a popular plugin and it is currently installed on over 700,000 websites. According to the website security firm Wordfence, it has blocked over 450,000 exploit attempts in the past few days where attackers tried to inject various files with names such as hardfork.php, hardfind.php and x.php.

In a blog post, threat analyst at Wordfence Chloe Chamberland explained how attackers could gain privilege escalation by exploiting the vulnerability in the File Manager plugin, saying:

“A file manager plugin like this would make it possible for an attacker to manipulate or upload any files of their choosing directly from the WordPress dashboard, potentially allowing them to escalate privileges once in the site’s admin area. For example, an attacker could gain access to the admin area of the site using a compromised password, then access this plugin and upload a webshell to do further enumeration of the server and potentially escalate their attack using another exploit. For this reason, we recommend uninstalling utility plugins, like file management plugins, when they are not in use, so that they do not create an easy intrusion vector for attackers to escalate their privileges.”

File Manager plugin

The File Manager plugin helps administrators manage files on sites running WordPress and it also contains an additional file manager known as elFinder which is an open source library that provides the plugin’s core functionality. However, the vulnerability that is now being exploited by attackers online occurred as a result of the way the plugin’s developers implemented elFinder.

Systems Team Lead at Seravo, Ville Korhonen was the first person to discover and report the vulnerability to File Manager’s developers.

The security flaw is present in File Manager versions 6.0 to 6.8 but thankfully its developers recently released version 6.9 of the plugin which addresses the vulnerability.

WordPress site owners that use File Manager should update the plugin to version 6.9 immediately to avoid falling victim to any potential attacks that exploit the now patched vulnerability.

Source: TechRadar