If you are using the File Manager plugin for WordPress and haven’t updated to the version released on September 1st, 2020, your WordPress installation is at risk from hackers exploiting a vulnerability that allows them to execute commands and malicious scripts. This security flaw in the File Manager was in versions ranging from 6.0 to 6.8.
Within hours of this announced on September 1st, reports of attacks on vulnerable installations were taking place, and with 52% of the approximate 700,000 sites using this still vulnerable, there are a lot of sites out there that are not up to date.
NinTechnet, a website security firm in Bangkok, Thailand was among the first to report attacks in the wild. In email, NinTechNet CEO Jerome Bruandet wrote:
“It’s a bit too early to know the impact because when we caught the attack, hackers were just trying to backdoor websites. However, one interesting thing we noticed is that attackers were injecting some code to password-protect the access to the vulnerable file (connector.minimal.php) so that other groups of hackers could not exploit the vulnerability on the sites that were already infected.”
“All commands can be run in the /lib/files folder (create folders, delete files etc), but the most important issue is that they can upload PHP scripts into that folder too, and then run them and do whatever they want to the blog.”
“So far, they are uploading “FilesMan”, another file manager often used by hackers. This one is heavily obfuscated. In the next few hours and days we’ll see exactly what they will do, because if they password-protected the vulnerable file to prevent other hackers to exploit the vulnerability it is likely they are expecting to come back to visit the infected sites.”
How is this attack being performed?
The attackers are using the exploit to upload files that contain webshells hidden in an image. This then provides them an easy interface to run commands in the plugins/wp-file-manager/lib/files/ directory where the plugin resides. While the restriction prevents hackers from executing commands outside of this specific directory, this could be used as a back door in by uploading scripts that can carry out actions outside of this directory on other parts of a vulnerable site.
How have we helped our clients
After we became aware of this, we had scanned our network and for all Managed WordPress clients we have taken the necessary steps to update the File Manager plugin.
For those that are not using our Managed WordPress services, please ensure you check if your application has been updated, and if not, ensure it’s updated.
Whether you are a current client of ours or not and you have been compromised by this or any other vulnerability, we offer a comprehensive Compromised Site Repair services for WordPress, and all common Content Management Systems.