Hackers are actively exploiting a critical remote code execution vulnerability allowing unauthenticated attackers to upload scripts and execute arbitrary code on WordPress sites running vulnerable File Manager plugin versions.

On the morning of September 1st, Seravo’s on-call security officer Ville Korhonen was the first to discover the flaw and the fact that threat actors were already attempting to exploit it in attacks designed to upload malicious PHP files onto vulnerable websites.

Within hours after Korhonen spotted the attacks and reported the vulnerability to the plugin’s developer, File Manager‘s devs patched the severe flaw with the release of versions 6.9.

The File Manager plugin is currently installed on more than 700,000 WordPress sites and the vulnerability impacts all versions between 6.0 and 6.8.

450,000 sites already probed

Wordfence researchers were also informed of this ongoing attack on the morning of September 1st by Arsys’s Gonzalo Cruz, who provided them with a working proof of concept, allowing them to look into how to block the attacks.

The WordPress security company later said that the Wordfence Web Application Firewall was able to block out over 450,000 exploit attempts during the last several days.

Wordfence said that the hackers are trying to upload PHP files with webshells concealed within images to the wp-content/plugins/wp-file-manager/lib/files/ folder.

They were also seen first probing potentially vulnerable sites with empty files and, only if the attack is successful, trying to inject the malicious scripts.

NinTechNet, who also reported the exploit attempts, said the attackers are attempting to upload a malicious hardfork.php script which allows them to inject malicious code within the WordPress sites’ /wp-admin/admin-ajax.php and /wp-includes/user.php scripts.

What makes the attacks even more interesting is that the hackers will also immediately try to prevent others from compromising an already infected site by password protecting the files exposed to writing by the File Manager vulnerability.

https://csirt.cy/wp-content/uploads/2020/09/Blocking-further-exploitation-300x53.jpg 300w, https://csirt.cy/wp-content/uploads/2020/09/Blocking-further-exploitation-768x135.jpg 768w" alt="" width="812" height="143" class="size-full wp-image-6916 aligncenter" style="box-sizing: border-box; border: 0px; vertical-align: middle; clear: both; display: block; margin: 0px auto; height: auto; max-width: 100%; color: rgb(51, 51, 51); font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 14px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;" loading="lazy" />

Blocking further exploitation (NinTechNet)

Over 300,000 sites still vulnerable to attacks

“A file manager plugin like this would make it possible for an attacker to manipulate or upload any files of their choosing directly from the WordPress dashboard, potentially allowing them to escalate privileges once in the site’s admin area,” Chloe Chamberland, Wordfence’s Director of Information Security explained.

“For example, an attacker could gain access to the admin area of the site using a compromised password, then access this plugin and upload a webshell to do further enumeration of the server and potentially escalate their attack using another exploit.”

File Manager’s dev team addressed the actively exploited critical vulnerability with the release of File Manager 6.9 yesterday morning.

However, the plugin has only been downloaded just over 126,000 times — including both updates and new installs — within the last two days based on historic download data available on the WordPress plugin portal, leaving 574,000 WordPress sites potentially exposed.

Luckily, only 51,5% of all sites with active File Manager plugin installation (amounting to more than 300,000 websites) are running a vulnerable version that could allow the attackers to execute arbitrary code after successful exploitation.

File Manager users are recommended to immediately update the plugin to version 6.9 as soon as possible to block the ongoing attacks.

Update: Attributed the discovery of the zero-day to Seravo’s Ville Korhonen who reported the flaw and ongoing attacks to the plugin’s authors.

The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.