Security

700,000 WordPress Sites Affected By Zero-day Vulnerability in File Manager Plugin

Yesterday a zero-day vulnerability was discovered in a popular WordPress plugin, File Manager. The vulnerability allows arbitrary file upload and remote code execution.

File Manager plugin is a useful plugin that allows users to browse site files in an easy way. The plugin has over 700,000 active installations that make it a desired target for attackers.

Yesterday the vulnerability was discovered by Seravo as part of their WordPress upkeep service. They noticed unusual activity on several of their customers’ websites and further investigation revealed the severe vulnerability in the File Manager plugin.

Zero-day Arbitrary file upload & Remote code execution

The way these vulnerability works is because of the execution of connector.minimal.php file. This file loads another file lib/php/elFinderConnector.class.php that can read post/get variables that can execute File Manager features like file uploading.

Since the PHP scripts are allowed to be executed, an attacker can upload unauthenticated arbitrary PHP files and execute them.

Upgrade plugin to version 6.9

The plugin’s team was informed about the vulnerability and they released the patched version 6.9. Any website using wp-file-manager 6.8 or below, upgrade to the version as soon as possible.

The vulnerability is being exploited in the wild. If you are the plugin’s user and have upgraded to the patched version, you should still scan the website for any malicious website that could have been uploaded by a malicious user.

Sohail

Mohd Sohail is a web developer and a Linux sysAdmin. He also loves to write how-to articles, applications reviews and loves to use new Linux distributions.

Recent Posts

Ubuntu 21.10 “Impish Indri” Available To Download

After 6 months of development, Ubuntu 21.10 codenamed "Impish Indri" is now available for download.…

4 days ago

Best Spotify Alternatives For Linux

Spotify is the most popular music streaming service. A Spotify free account grants access to…

7 days ago

[Fixed] error: snap “package” not found

Snap has grown in popularity among Linux users. Instead of using system packages, snap containerizes…

2 weeks ago

Twitch Data Leak 2021 Includes 125GB Private Data

Another breach of the year 2021 is the Twitch Data Leak, which comprises 125GB of…

2 weeks ago

10 Best Games For Linux

I wrote a list of the best FPS games for Linux a few years ago.…

2 weeks ago

Epic Games To Release AntiCheat For Linux

The day I've been looking forward to for years. When I first started blogging in…

2 weeks ago