This week the widely successful WordPress plugin File Manager received a patch to fix a vulnerability that has been actively exploited by zero day.
Crafted to copy / paste, edit, remove, download / upload, and archive features for both files and directories for WordPress website administrators, File Manager has more than 700,000 active instals.
Assessed with a CVSS score of 10, the critical security vulnerability recently found may have allowed an attacker to upload files and execute code remotely on an affected site, reveals Seravo, who discovered the bug.
The hosting service says versions of File Manager before 6.9 are affected, and disabling the extension does not prevent abuse.
“We urgently advise everyone to upgrade to the latest version or preferably uninstall the plugin using something less than the latest version of WP File Manager 6.9,” Seravo says.
When found, botnets were exploiting the security bug, Seravo reveals.
The problem has been found to reside in code taken from the elFinder project, a platform for providing file explorer GUI to web apps. The code was published as an example, but applied to the WordPress plugin, giving unauthenticated access to the upload of files to attackers.
According to Wordfence, the plugin renamed “the extension to .php on the connector.minimal.php.dist file of the elFinder library, so that it could be explicitly executed, even though the connector file was not used by the File Manager itself.”
With no restrictions on direct access, the file was open to everyone, but built-in protection in elFinder prevented directory traversal, thus restricting exploitation only to the directory plugins / wp-file-manager / lib / files/.
The observed attacks therefore leveraged the upload command to drop PHP files containing webshells to the directory wp-content / plugins / wp-file-manager / lib / archives/, Wordfence explains.
The firm also reports that over the past few days it has detected nearly half a million attempts to exploit the bug, but these seem to be testing attempts, with malicious files inserted only afterwards.