In the File Manager plugin has been discovered a dangerous vulnerability, which is used by over 700,000 WordPress-based resources and which allows executing commands and malicious scripts on vulnerable sites. Just hours after disclosing information about the bug, experts from the Thai company NinTechNet reported that hackers attack this vulnerability in WordPress.
The crux of the problem is that the plugin contains an additional file manager known as elFinder, an open source library that provides the main plugin functionality and ensures user’s interface.The vulnerability arises from the way elFinder is implemented in this case”, – report NinTechNet researchers.
For example, in File Manager, the extension of the connector.minimal.php.dist library file has been changed to .php so that it can be run directly even if the connector file is not used by the file manager itself. These libraries often include sample files that would not be used out of the box without configuring access control. As a result, this file has no direct access restrictions, which means that anyone can access it.
NinTechNet researchers write that cybercriminals use an exploit to upload image files to websites containing hidden web shells. As a result, attackers can use a convenient interface that allows them to run commands in the plugins /wp-file-manager/lib/files/directory, where the File Manager plugin is located. Although the problem prevents hackers from executing commands outside the named directory, attackers can do considerable damage by uploading scripts to a vulnerable site that are capable of performing actions in other parts of the vulnerable resource.
According to NinTechNet, hackers are currently using the bug to upload the hardfork.php script to websites and then inject it into the /wp-admin/admin-ajax.php and /wp-includes/user.php scripts.
At the same time, it is noted that cybercriminals try to protect the vulnerable file with a password (connector.minimal.php) so that other hack groups could not exploit the vulnerability on already infected sites.
In the next few hours or days, we will see exactly what they will do next. After all, if they protect a vulnerable file with a password to prevent other hackers from exploiting the vulnerability, they are likely going to return and visit the infected resources again”, — say NinTechNet experts.
Experts from the information security company Wordfence have already written their own report dedicated to this wave of attacks. Over the past few days, the company has blocked more than 450,000 attempts to exploit this vulnerability. The researchers write that attackers are trying to inject various files into websites. In some cases, these files were empty (apparently, the hackers were only testing the vulnerability); other malicious files were named hardfork.php, hardfind.php, and x.php.
A file manager plugin like this allows attackers to manipulate files and upload new ones of their choice right from the WordPress dashboard. This also potentially allows for immediate privilege escalation. For example, an attacker can gain access to a site’s admin panel using a compromised password, then gain access to a vulnerable plugin and load a web shell to perform further actions on the server and develop his attack using another exploit”, — writes Wordfence specialist Chloe Chamberland.
The issue has already been fixed in File Manager 6.0 through 6.8. Official WordPress statistic shows that approximately 52% of plugin installations, or about 350,000 sites, currently are vulnerable.
Let me remind you that earlier we reported about vulnerability in WordPress wpDiscuz plugin that leads to arbitrary code execution.
