The highly popular WordPress plugin File Manager this week received a patch to address an actively exploited zero-day vulnerability.
Designed to provide WordPress site admins with copy/paste, edit, delete, download/upload, and archive functionality for both files and folders, File Manager has over 700,000 active installs.
Assessed with a CVSS score of 10, the recently identified critical security flaw could have allowed an attacker to upload files and execute code remotely on an affected site, Seravo, which discovered the bug, reveals.
The hosting service says that File Manager versions prior to 6.9 are affected and that disabling the plugin does not prevent exploitation.
“We urgently advice everybody using anything less than the latest WP File Manager version 6.9 to update to the latest version or alternatively uninstall the plugin,” Seravo says.
When discovered, the security flaw was being exploited by botnets, Seravo reveals.
The issue was found to reside in code taken from the elFinder project, a framework meant to provide web apps with file explorer GUI. The code was published as an example, but was added to the WordPress plugin, providing attackers with unauthenticated access to file upload.
According to Wordfence, the plugin renamed “the extension on the elFinder library’s connector.minimal.php.dist file to .php so it could be executed directly, even though the connector file was not used by the File Manager itself.”
With no direct access restrictions, the file was exposed to anyone, but built-in protection in elFinder prevented directory traversal, thus limiting exploitation to the plugins/wp-file-manager/lib/files/ directory only.
Thus, the observed attacks leveraged the upload command to drop PHP files containing webshells to the wp-content/plugins/wp-file-manager/lib/files/ directory, Wordfence explains.
The firm also reveals that it has observed nearly half a million attempts to exploit the bug within the past several days, but these appear to be probing attempts, with malicious files injected only after that.