Security news that informs and inspires

Attacks Target Critical Flaw in WordPress File Manager Plugin

Attackers are exploiting a critical vulnerability in a popular WordPress plugin that enables an adversary to run arbitrary commands and upload files to a target WordPress site.

The flaw is in the File Manager plugin, which has more than 700,000 active users and is designed to help administrators manage files on their WordPress sites. The plugin includes a third-party library called elFinder and the vulnerability results from the way that File Manager renamed an extension in elFinder.

“The core of the issue began with the File Manager plugin renaming the extension on the elFinder library’s connector.minimal.php.dist file to .php so it could be executed directly, even though the connector file was not used by the File Manager itself. Such libraries often include example files that are not intended to be used “as-is” without adding access controls, and this file had no direct access restrictions, meaning the file could be accessed by anyone. This file could be used to initiate an elFinder command and was hooked to the elFinderConnector.class.php file,” Chloe Chamberland of Wordfence, a WordPress security firm, said in a post on the vulnerability and attacks exploiting it.

The vulnerability was introduced in version 6.4 of File Manager, which was released in May. But it wasn’t until late August that researchers first saw exploit attempts against the bug. An exploit for the vulnerability was posted on GitHub in the last week of August, and it wasn’t until several days later, on Sept. 1, that the maintainers of File Manager released an updated version that fixed the bug. Although the fixed version has been available for a week, researchers say few of the WordPress sites running the plugin have updated.

“Sites not using this plugin are still being probed by bots looking to identify and exploit vulnerable versions of the File Manager plugin, and we have recorded attacks against 1.7 million sites since the vulnerability was first exploited. Although Wordfence protects well over 3 million WordPress sites, this is still only a portion of the WordPress ecosystem. As such, the true scale of these attacks is larger than what we were able to record,” Ram Gall of Wordfence said in a post on Sept. 4.

The severity of the vulnerability makes the need to update quite urgent, especially with automated scans for the bug ongoing. Identifying vulnerable sites is a trivial task and with an exploit publicly available, time is of the essence, particularly given the fact that an attacker would be able to upload arbitrary files to the site after a successful exploit.

“This exploit quickly gained popularity due to its very high impact and low requirements, where we have currently seen hundreds of thousands of requests from malicious actors attempting to exploit it,” Antony Garand of Sucuri said in a post about the flaw.

“The first attack we noticed was on August 31st, one day before the plugin was updated, with an average of 1.5k attacks per hour. On September 1st, we had an average of 2.5k attacks per hour, and on September 2nd we had peaks of over 10k attacks per hour.”