Vulnerability of File Manager WordPress plugin and Solutions

Last updated:

On September 1, 2020, a vulnerability was discovered in the WordPress plugin File Manager. The vulnerability could be exploited by an attacker. Here's the scope of the impact and how to respond.

What is File Manager?

File Manager is a plugin that allows you to manipulate files and folders on WordPress.

Edit, delete, upload, download, compress, copy and paste files and folders.

Installed on over 700,000 WordPress.

What kind of vulnerability?

It is now possible for a third party to access unprotected files and upload a malicious PHP file by executing commands.

If this vulnerability is exploited, the data can be stolen or the site can be modified.

Solutions

Version 6.9, which fixes this vulnerability, was released on September 1, 2020.

If you have enabled File Manager, here’s how to deal with it.

Attacked by a vulnerability that is exploited

If the following files are located under the directory “/wp-content/plugins/wp-file-manager/lib/files”, there is a high probability of being attacked.

If the above applies to you, reinstall WordPress and change your administrative user and database password.

Range of influence

The attack was launched on August 31, 2020 to exploit the vulnerability.

As of now (September 4, 2020), only 15.4% of all users have updated to the latest version, 6.9.

It is recommended that you update to the latest version.

ACTIVE VERSIONS

The source of the problem

When changed “lib/php/connector.minimal.php-dist” to “lib/php/connector.minimal.php” in order to test a specific function in File Manager 6.4, published the file as it was.

There were no access restrictions on this file, so anyone could access the file.

Most Popular Articles

  1. What’s new in WordPress 5.6? New Features and Changes
  2. How to Add width/height to Images in WordPress
  3. What’s New in WordPress 5.5.3? Fixed 1 Bug
  4. WordPress 5.6 jQuery version updates and solution for jQuery
  5. WordPress Version List (Release Date/Code Name)
  6. What’s new in WordPress 5.5? New Features and Changes
  7. What’s New in WordPress 5.5.2? Fixed 10 security issues
  8. How to check if the current user is Administrator in WordPress
  9. Vulnerability of File Manager WordPress plugin and Solutions
  10. Recommend Premium Themes for WordPress (By Usage)

New Articles

go to top