Hackers are actively exploiting a critical remote code execution vulnerability in the File Manager WordPress plugin that could be exploited by unauthenticated attackers to upload scripts and execute arbitrary code on WordPress sites running vulnerable versions of the plugin.
The File Manager plugin allows users to easily manage files directly from WordPress, it is currently installed on more than 700,000 WordPress sites.
The vulnerability was first discovered by Gonzalo Cruz from Arsys, the researcher also confirmed that threat actors are already exploiting the flaw to upload malicious PHP files onto vulnerable sites.
The vulnerability impacts all versions between 6.0 and 6.8 of the popular plugin.
The developers of the plugin have quickly patched the vulnerability with the release of versions 6.9.
Cruz shared his findings with WordPress security firm Wordfence and provided it a working proof of concept exploit for the flaw.
Wordfence confirmed the ongoing attack, its Web Application Firewall already blocked over 450,000 exploit attempts during the last several days.
“The Wordfence firewall has blocked over 450,000 exploit attempts targeting this vulnerability over the past several days. We are seeing attackers attempting to inject random files, all of which appear to begin with the word “hard” or “x.”” Wordfence said.
“From our firewall attack data, it appears that attackers may be probing for the vulnerability with empty files and if successful, may attempt to inject a malicious file. Here is a list of some of the files we are seeing uploaded:
Wordfence experts confirmed that threat actors are trying to upload PHP files with webshells hidden within images to the wp-content/plugins/wp-file-manager/lib/files/ folder.
Experts strongly recommend updating to the latest version of the File Manager plugin, version 6.9 at the time of writing this post.
The plugin has only been downloaded just over 126,000 times within the last couple of days, this means that at least 574,000 WordPress sites are potentially exposed.
The good news is that only 51,5% (approximatively 300K+ websites)) of all sites running the File Manager plugin are running a vulnerable version.
(SecurityAffairs – hacking, File Manager plugin)