A plugin name File Manager has been found with a vulnerability that is exploited by hackers.
The File Manager plugin helps administrators manage files on sites running the WordPress content management system. The plugin contains an additional file manager named as elFinder. This is the place where the problem is lying. The issue has raised because of the wrong implementation of elFinder.
The extension on elFinder was changed from connector.minimal.php.dist file to.PHP. How the problem started just by changing the extension is a complex topic though.
The problem is in the plugins/wp-file-manager/lib/files/. This is where the actual plugin resides.
The File Manager plugin is used in more than 700,000 WordPress sites. Hackers have found a vulnerability that allows them to execute commands and malicious scripts on the sites running this plugin.
NinTechNet, a website security firm in Bangkok, Thailand, was among the first to report an attack. The post said that a hacker was exploiting the vulnerability to upload a script titled hardfork.php and then using it to inject code into the WordPress scripts /wp-admin/admin-ajax.php and /wp-includes/user.php.
The attackers are basically uploading files that contains web shells that are hidden in an image file. And after that, they have an interface that allows them to run commands directly in the location of the plugin.
Website security firm Wordfence has said that it has already blocked 450,000 exploit attempts in the past few days. The hackers are initially uploading an empty file and if they are successful, then they upload a malicious file. Some of the file names which are malicious are hardfork.php, hardfind.php, and x.php.
The attacker can reach your dashboard by exploiting step by this issue step by step. Chloe Chamberland of Wordfence says “A file manager plugin like this would make it possible for an attacker to manipulate or upload any files of their choice directly from the WordPress dashboard, potentially allowing them to escalate privileges once in the site’s admin area,”
What Next
The developers of File Manager credited researcher Ville Korhonen of security firm Seravo with discovering and first reporting the vulnerability. Out of the 700,000 sites using this, 52% of sites have been affected by this issue.
Sal Aguilar, who sets up and secures WordPress sites, immediately wrote on twitter about this problem.
He said “The WP File Manager vulnerability is SERIOUS. Its spreading fast and I’m seeing hundreds of sites getting infected. Malware is being uploaded to /wp-content/plugins/wp-file-manager/lib/files.”
So now talking about is there any solution, yes there is. The problem is in the versions ranging from 6.0 to 6.8. If you have the File Manager version 6.9, you are safe. The rest of them must immediately update their File Manager to version 6.9.