WordPress File Manager plugin affected by massive vulnerability
A huge vulnerability has been found in the File Manager plugin for WordPress web sites. While a patch was released on September 1, 2020, millions of attacks are still taking place through unprotected sites…
You can read more about how to protect yourself, and what the threat is. Don’t worry – if you’re hosted with us we’ve already done everything required if you had the plugin installed. We’ve even thrown in example code for all you techies out there.
What is File Manager?
File Manager is a plugin designed to help WordPress administrators manage files on their sites. The plugin contains an additional library, elFinder, which is an open-source file manager designed to create a simple file management interface and provides the core functionality behind the file manager. The File Manager plugin used this library in a way that introduced a vulnerability.
What’s caused this vulnerability?
The core of the issue began with the File Manager plugin renaming the extension on the elFinder library’s connector.minimal.php.dist file to .php so it could be executed directly. This is even though the connector file was not used by the File Manager itself.
Such libraries often include example files that are not intended to be used “as-is” without adding access controls. This file had no direct access restrictions, meaning the file could be accessed by anyone.
This file could be used to initiate an elFinder command and was hooked to the elFinderConnector.class.php file.
Any parameters sent in a request to connector.minimal.php would be processed by the run() function in the elFinderConnector.class.php file. This includes the command that was supplied in the cmd parameter.
The good news is that elFinder has built-in protection against directory traversal, so an attacker would be unable to use any of these commands on any files outside of the plugins/wp-file-manager/lib/files/ directory.
The attacks we are seeing in the wild are using the upload command to upload PHP files containing webshells hidden in an image to the wp-content/plugins/wp-file-manager/lib/files/ directory.
What are the indicators of a compromise?
We are seeing attackers attempting to inject random files, all of which appear to begin with the word “hard” or “x”. From our firewall attack data, it appears that attackers may be probing for the vulnerability with empty files and if successful, may attempt to inject a malicious file.
Here is a list of some of the files we are seeing uploaded:
hardfork.php hardfind.php x.php
Please look for these files in the /wp-content/plugins/wp-file-manager/lib/files directory of your site. We’ve also noted a number of the same IP addresses launching the attacks – so blacklist these now to reduce the risk…
126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168
What’s the recommendation for File Manager?
There are two options here – update or remove. If you find that your site’s functionality requires consistent usage of the plugin, ensure it is updated to at least version 6.9, which patched this vulnerability.
If you are not actively using the plugin, uninstall it completely. Due to the breadth of file management functionality this plugin provides a user within the wp-admin dashboard, we recommend uninstalling the plugin when it is not actively being used. This is the same advice we give with all plugins.
Need more help?
This page is supported by third-party advertising…