Heads up, WordPress admins! Another vulnerable WordPress plugin might have exposed your website to cyber threats. Reportedly, the File Manager plugin had a critical vulnerability that could allow remote code execution attacks. Update your sites at the earliest.
File Manager Plugin Vulnerability
Team Wordfence has disclosed details about another vulnerable WordPress plugin posing threat to thousands of websites. This time, they found a critical zero-day vulnerability in the File Manager plugin that presently has over 700,000 active installations.
As explained in their blog post, the vulnerability existed because of the way the plugin used elFinder. It’s an open-source library providing the core functionality to the File Manager by creating a simple file management interface.
The core of the issue began with the File Manager plugin renaming the extension on the elFinder library’s
connector.minimal.php.distfile to .php so it could be executed directly, even though the connector file was not used by the File Manager itself. Such libraries often include example files that are not intended to be used “as-is” without adding access controls, and this file had no direct access restrictions, meaning the file could be accessed by anyone.
The researchers discovered the bug following exploitation attempts of the flaw in the wild. Specifically, another researcher Gonzalo Cruz from Arsys observed such malicious attempts of uploading PHP files to their sites.
Wordfence elaborated that they blocked 450,000 exploitation attempts in a few days.
Following the discovery of the flaw, the File Manager’s developer worked on a patch that eventually rolled out with the release of plugin version 6.9.
Given the criticality of the flaw (CVSS score of 10.0) and the active exploitation, all plugin users must ensure updating their sites to the latest version.
Whereas, Wordfence has generally advised WordPress admins to uninstall any utility plugins on their sites that remain unused for long. It’s because any bug in these plugins running with admin privileges could lead to serious damages to the site.