Vulnerability of File Manager WordPress plugin and Solutions
Last updated:
On September 1, 2020, a vulnerability was discovered in the WordPress plugin File Manager. The vulnerability could be exploited by an attacker. Here's the scope of the impact and how to respond.
What is File Manager?
File Manager is a plugin that allows you to manipulate files and folders on WordPress.
Edit, delete, upload, download, compress, copy and paste files and folders.
Installed on over 700,000 WordPress.
What kind of vulnerability?
It is now possible for a third party to access unprotected files and upload a malicious PHP file by executing commands.
If this vulnerability is exploited, the data can be stolen or the site can be modified.
Solutions
Version 6.9, which fixes this vulnerability, was released on September 1, 2020.
If you have enabled File Manager, here’s how to deal with it.
- Update to the latest version 6.9
- Remove the plugin if you don’t need it.
Attacked by a vulnerability that is exploited
If the following files are located under the directory “/wp-content/plugins/wp-file-manager/lib/files”, there is a high probability of being attacked.
- hardfork.php
- hardfind.php
- x.php
If the above applies to you, reinstall WordPress and change your administrative user and database password.
Range of influence
The attack was launched on August 31, 2020 to exploit the vulnerability.
- August 31, 2020: 1,500 attacks per hour on average
- September 1, 2020: 2,500 attacks per hour on average
- September 2, 2020: over 10,000 attacks per hour
As of now (September 4, 2020), only 15.4% of all users have updated to the latest version, 6.9.
It is recommended that you update to the latest version.
The source of the problem
When changed “lib/php/connector.minimal.php-dist” to “lib/php/connector.minimal.php” in order to test a specific function in File Manager 6.4, published the file as it was.
There were no access restrictions on this file, so anyone could access the file.