WordPress File Manager plugin fault causing wild-exploited website hijacking
The developers of the WordPress File Manager plugin fixed an actively exploited security issue that allowed full website hacking.
Also: The best web hosting services
According to the Sucuri WordPress security team, the the vulnerability appeared in version 6.4 of the software, which is used as an alternative to FTP to handle file transfers, copying, deletion and downloads.
File manager has more than 700,000 active installations.
In version 6.4, released May 5, a file was renamed in the plugin for development and testing purposes. However, rather than being kept as a local edit, the renamed file was accidentally added to the project.
See also: KingComposer fixes an XSS flaw affecting 100,000 WordPress websites
The file in question was checked out by the third-party elFinder dependency and used as a code reference. An extension added to the file, renaming connector-minimal.php-dist to connector-minimal.php, was a small tweak – but was enough to trigger a critical vulnerability in the popular plugin.
The ElFinder script, as a file manager, grants users elevated privileges to edit, download, and delete files. As the system is focused on ease of use, to configure the elFinder file manager it is enough to change the file extension from .php-dist to .php – and thus the way for attacks has been opened.
While using the file as a reference may have helped the team to test functionality locally, the researchers claim that leaving such a script – intentionally designed to not check access permissions – in a public version causes a “vulnerability. catastrophic if this file is left as is – is being deployed. ”
“This change allowed any unauthenticated user to directly access this file and execute arbitrary commands in the library, including downloading and editing files, ultimately leaving the website vulnerable to a complete takeover. “Sucuri said.
The solution, included in version 6.9, is quite simple: just delete the file – which was never part of the plugin’s functionality anyway – and the other unused .php-dist files.
However, a week before the file was deleted, a proof of concept (PoC) code was posted to the GitHub code repository, causing a wave of attacks on websites before the release of version 6.9.
Sucuri says the feat quickly gained traction. The first attack was spotted on August 31, a day before a patched version of the file manager was released. It climbed to around 1,500 attacks per hour, and a day later it rose to an average of 2,500 attacks every 60 minutes. On September 2, the team saw about 10,000 attacks per hour.
In total, Sucuri followed “hundreds of thousands of requests from malicious actors trying to exploit it.”
While the vulnerability has now been addressed, at the time of writing, only 6.8% WordPress websites have been updated to the new patched version of the plugin, leaving many websites open to compromise.
In July, a reflected XSS vulnerability was fixed in KingComposer, a WordPress drag-and-drop page building plugin. The insect, CVE-2020-15299, was caused by a dormant Ajax feature that could be abused to deploy malicious payloads.
Prior and related coverage
Do you have any advice? Contact us securely via WhatsApp | Call +447 713 025 499, or Keybase: charlie0