Vulnerability of File Manager WordPress plugin and Solutions

Last updated:

On September 1, 2020, a vulnerability was discovered in the WordPress plugin File Manager. The vulnerability could be exploited by an attacker. Here's the scope of the impact and how to respond.

What is File Manager?

File Manager is a plugin that allows you to manipulate files and folders on WordPress.

Edit, delete, upload, download, compress, copy and paste files and folders.

Installed on over 700,000 WordPress.

What kind of vulnerability?

It is now possible for a third party to access unprotected files and upload a malicious PHP file by executing commands.

If this vulnerability is exploited, the data can be stolen or the site can be modified.

Solutions

Version 6.9, which fixes this vulnerability, was released on September 1, 2020.

If you have enabled File Manager, here’s how to deal with it.

Attacked by a vulnerability that is exploited

If the following files are located under the directory “/wp-content/plugins/wp-file-manager/lib/files”, there is a high probability of being attacked.

If the above applies to you, reinstall WordPress and change your administrative user and database password.

Range of influence

The attack was launched on August 31, 2020 to exploit the vulnerability.

As of now (September 4, 2020), only 15.4% of all users have updated to the latest version, 6.9.

It is recommended that you update to the latest version.

ACTIVE VERSIONS

The source of the problem

When changed “lib/php/connector.minimal.php-dist” to “lib/php/connector.minimal.php” in order to test a specific function in File Manager 6.4, published the file as it was.

There were no access restrictions on this file, so anyone could access the file.

go to top