Over 700,000 people are currently using the WordPress plugin called File Manager. Unfortunately, hackers are actively exploiting a flaw in the plugin that enables them to run malicious scripts and execute commands on Websites running the plugin. Reports have suggested that over 50% of users have been affected.
File Manager assists website administrators to manage the files on their WordPress content management system. It contains an additional file manager called elFinder. ElFinder is an open-source library that provides the core functionality of the plugin. The exposed vulnerability stems from how the plugin implemented elFinder.
Hackers have been using the opportunity to upload files that contain webshells embedded within images. From there, they use this interface to run commands within the directory that File Manager resides (plugins/wp-file-manager/lib/files/). Although this limits the scope of how far-reaching hackers are able to spread their malicious scripts and commands, they are able to induce additional damage by uploading scripts that carry out subsequent actions on vulnerable sites.
Reports from Wordfence, a website security firm, has said that attackers are attempting to probe vulnerable sites in order to inject a malicious file later. Although not an exhaustive list, files caught have been uploaded with the names of “hardfork.php”, “hardfind.php” and “x.php”.
The issue initially commenced when the File Manager plugin renaming the extension on elFinder’s library connector. The extension transitioned from “connector.minimal.php.dist” file to “.php”. This change enabled direct execution even if the file connector was not used by File Manager itself. These types of libraries include files that are not intended to be used as-is without adding additional security and controls. These files have no direct access restrictions enabling them to be accessed by anyone. Initiating elFinder has been conducted by hooking up “elFinderConnector.class.php” to the file.
The security flaw is found to be affecting File Manager versions ranging from 6.0 to 6.8. It has been suggested that all versions should be updated to version 6.9 as soon as possible.
If you’re our client: we caught the bug overnight, updated it, and you were never at-risk. That’s just one of the advantages of partnering with us for your website’s success. – Andrew Brum, Founder
We have a team of professionals that are exceptionally well-versed in correcting hacked sites and implementing security features to prevent additional malicious activity. Don’t hesitate to get in touch!
If you are currently experiencing suspicious activity, issues with the File Manager plugin or you would like to heighten your website’s security, contact us today.