Millions of WordPress sites are at cyber risk after researchers discovered a zero-day vulnerability in WordPress’s File Manager plugin. The threat intelligence team from cybersecurity firm Wordfence stated that the File Manager plugin has over 700,000 active installations, which could allow threat actors to execute commands and upload malicious files on a target site. File Manager is a plugin intended to help WordPress admins manage files on their websites. However, the researchers stated that a patch has been released to fix the vulnerability and asked users to update to the latest version 6.9 immediately.
The researchers stated that the zero-day vulnerability in the File Manager plugin could allow cybercriminals to execute arbitrary code on a WordPress site.
“While analyzing the vulnerability, we discovered that it was possible to bypass the built-in file upload protection, so we deployed an additional firewall rule for maximum coverage. Wordfence Premium customers received this new firewall rule on September 1, 2020, at 2:56 PM UTC. Free Wordfence users will receive the rule after thirty days on October 1, 2020,” the researchers said.
Description: Remote Code Execution
Affected Plugin: File Manager
Plugin Slug: wp-file-manager
Affected Versions: 6.0-6.8
CVSS Score: 10.00 (Critical)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Patched Versions: 6.9
“The Wordfence firewall has blocked over 450,000 exploit attempts targeting this vulnerability over the past several days. We are seeing attackers attempting to inject random files, all of which appear to begin with the word “hard” or “x.” From our firewall attack data, it appears that attackers may be probing for the vulnerability with empty files and if successful, may attempt to inject a malicious file,” the researchers added.
Over 1.3 Mn WordPress Websites at Risk
Earlier, security experts discovered that cybercriminals targeted around 1.3 million WordPress websites in a single day to steal database login credentials. It is found that hackers tried to steal config files by exploiting known XSS vulnerabilities in WordPress plugins and themes. The attackers tried to download the wp-config.php WordPress configuration file, which contains connection details, authentication unique keys, and salts along with database credentials. In case attackers successfully exploited any vulnerable plugins used by the targeted sites, they could easily steal login credentials from the databases and take control over the websites.