WordPress security: Zero-day flaw in File Manager plugin actively exploited

4 years ago 253
BOOK THIS SPACE FOR AD
ARTICLE AD

Some 700,000 WordPress sites thought to be impacted by remote code execution bug

 Zero-day flaw in File Manager plugin actively exploited

Users of File Manager, a popular WordPress plugin, have been urged to update to the latest version amid the active exploitation of a critical zero-day vulnerability.

The remote code execution (RCE) flaw, which was assigned the highest possible CVSS score of 10, allows unauthenticated attackers to execute arbitrary code and upload malicious files on vulnerable websites.

File Manager, which helps WordPress administrators organize files on their sites, has more than 700,000 active installations.

Indicators of compromise

A firewall deployed by Wordfence has blocked over 450,000 exploit attempts targeting the vulnerability in recent days, according to a blog post published by the WordPress security outfit yesterday (September 1).

Attackers appear to be probing for the flaw by attempting to inject empty files, the company said.

Wordfence has advised users to check files within File Manager for indicators of compromise that include the files , , , and six IP addresses frequently used by attackers.

Miscreants “are using the upload command to upload PHP files containing webshells hidden in an image to the wp-content/plugins/wp-file-manager/lib/files/ directory”, said Chloe Chamberland, a threat analyst at Wordfence.

elFinder

The vulnerability was found in elFinder, an open source file manager used by the plugin.

“The core of the issue began with the File Manager plugin renaming the extension on the elFinder library’s file to so it could be executed directly, even though the connector file was not used by the File Manager itself,” explained Chamberland.

“Such libraries often include example files that are not intended to be used ‘as-is’ without adding access controls, and this file had no direct access restrictions, meaning the file could be accessed by anyone. This file could be used to initiate an elFinder command and was hooked to the elFinderConnector.class.php file.”

RELATED Virtual shoplifting: Critical flaw found in WooCommerce extension NAB Transact

She continued: “Any parameters sent in a request to would be processed by the function in the file, including the command that was supplied in the parameter.”

Thankfully, she added, “elFinder has built-in protection against directory traversal”, so an attacker would be unable to execute malicious commands outside of the plugin’s file directory.

Patch and timeline

The vulnerability is present in File Manager versions 6.0-6.8 and was patched in version 6.9.

It was unearthed by Gonzalo Cruz from Arsys, who alerted Wordfence to evidence of in-the-wild exploitation yesterday.

Five and a half hours later, the plugin’s developer, Canada-based Webdesi9, released a patch that fixed the problem by removing the file.

‘Serious problems’

File management and other utility plugins typically “contain several features that if exposed within the admin area of your WordPress installation, could cause serious problems,” said Chamberland.

This includes attackers manipulating files or uploading malicious files “directly from the WordPress dashboard, potentially allowing them to escalate privileges once in the site’s admin area.

“For example, an attacker could gain access to the admin area of the site using a compromised password, then access this plugin and upload a webshell to do further enumeration of the server and potentially escalate their attack using another exploit.”

Wordfence therefore recommends that users uninstall utility plugins “when they are not in use, so that they do not create an easy intrusion vector for attackers to escalate their privileges”.

RECOMMENDED WordPress 5.5 rolls out with auto-updates for plugins, themes

Read Entire Article