The WordPress File Manager plugin’s creators have addressed a widely exploited security flaw that allows for complete website hijacking.
The vulnerability was discovered in version 6.4 of the software, which is used as an alternative to FTP for managing file transfers, copying, deletion, and uploads, according to the Sucuri WordPress security team. There are over 700,000 active installs of File Manager.
A file in the plugin was renamed for development and testing purposes in version 6.4, which was released on May 5. However, the renamed file was unintentionally added to the project rather than being maintained as a local update.
Also see: KingComposer fixes XSS bug that affects 100,000 WordPress sites.
The file in question was retrieved and utilized as a code reference by the third-party dependency elFinder—a slight change to the file, such as renaming connector-minimal. PHP-dist to connector-minimal.php was enough to trigger a major vulnerability in the popular plugin.
ElFinder’s software gives users higher rights for changing, uploading, and removing files as a file manager. Because the system is designed to be simple, all it takes to set up the elFinder file manager is changing the file’s extension. PHP-dist to.php — and so an attack vector was created.
While using the file as a reference may have aided the team in testing features locally, the researchers claim that leaving such a script in a public build, which is intentionally designed not to check access permissions, creates a “catastrophic vulnerability if this file is left as-is on the deployment.”
“This update let any unauthenticated user directly access this file and execute arbitrary operations on the library, including uploading and editing files,” according to Sucuri.
The remedy, which is incorporated in version 6.9, is straightforward: delete the file and any other unused—PHP-dist files, which were never part of the plugin’s functionality.
According to CNET, NSA’s bulk phone data collection was found to be illegal by an appeals court.
A Proof-of-Concept (POC) code was uploaded on the code repository GitHub a week before the file was withdrawn, resulting in a surge of attacks on websites before version 6.9 was released.
According to Sucuri, the vulnerability quickly gained attention. On August 31, the initial assault was discovered, just a day before a patched version of the file manager was released. This climbed to around 1,500 attacks every hour after a day, and then to an average of 2,5000 attacks per 60 minutes the next day. By the second week of September, the team had seen around 10,000 episodes each hour.
Sucuri has monitored “hundreds of thousands of requests” from hostile actors seeking to exploit the vulnerability.
According to TechRepublic, businesses are subjected to approximately 1,200 phishing assaults each month.
Even though the vulnerability has been fixed, just 6.8% of WordPress websites have switched to the current, patched plugin version, leaving many websites vulnerable to attack.
A reflected XSS vulnerability in KingComposer, a WordPress plugin for drag-and-drop page construction, was addressed in July. CVE-2020-15299 was triggered by a static Ajax function that may be exploited to spread malicious payloads.