Attacks target critical flaw in WordPress File Manager plugin
Attackers exploit a critical vulnerability in a popular WordPress plugin that allows an adversary to execute arbitrary commands and upload files to a target WordPress site.
The flaw lies in the File Manager plugin, which has over 700,000 active users and is designed to help administrators manage files on their WordPress sites. The plugin includes a third-party library called elFinder and the vulnerability results from how File Manager renamed an extension in elFinder.
The heart of the problem started with the File Manager plugin renaming the extension of the connector.minimal.php.dist file from the elFinder library to .php so that it could be executed directly, even though the connector file did not. not been used by the file manager itself. These libraries often include sample files that are not intended to be used “as is” without adding access controls, and this file had no restrictions on direct access, which means the file can be viewed by anyone. This file could be used to launch an elFinder command and was linked to the elFinderConnector.class.php file, ”said Chloe Chamberland of Wordfence, a WordPress security, in a statement. vulnerability post and attacks that exploit it.
The vulnerability was introduced in version 6.4 of File Manager, released in May. But it wasn’t until the end of August that researchers first saw attempted exploits against the bug. An exploit for the vulnerability was posted on GitHub in the last week of August, and it wasn’t until several days later, on September 1, that File Manager officials released an updated version that fixes the bug. Although the corrected version has been available for a week, researchers say few WordPress sites running the plugin have been updated.
“Sites not using this plugin are still polled by bots looking to identify and exploit vulnerable versions of the File Manager plugin, and we have recorded attacks against 1.7 million sites since the vulnerability was exploited for the first time. Although Wordfence protects well over 3 million WordPress sites, it is still only a part of the WordPress ecosystem. As such, the true scale of these attacks is greater than what we have been able to record, ”Ram Gall of Wordfence said in a statement. Publish September 4.
The severity of the vulnerability makes the update quite urgent, especially with automated scans for the current bug. Identifying vulnerable sites is a trivial task and with a publicly available exploit time is of the essence, especially since an attacker would be able to upload arbitrary files to the site after a successful exploit.
“This exploit quickly gained popularity due to its very high impact and low requirements, where we have currently seen hundreds of thousands of requests from malicious actors attempting to exploit it,” Sucuri’s Antony Garand said in a statement. post about the fault.
“The first attack we noticed was on August 31, a day before the plugin update, with an average of 1.5,000 attacks per hour. On September 1, we had an average of 2.5,000 attacks per hour, and on September 2, we had peaks of over 10,000 attacks per hour.