A dangerous vulnerability has been discovered in the File Manager plugin, which is used by more than 700,000 WordPress-based resources, which allows the execution of commands and malicious scripts on vulnerable sites. Just a few hours after the disclosure of information about the bug, experts from the Thai company NinTechNet
reported about the first attacks on this vulnerability.
The crux of the problem is that the plugin contains an additional file manager known as elFinder is an open source library that provides the core functionality of the plugin and also provides the user interface. The vulnerability arises from the way the implementation of elFinder is implemented in this case. For example, in File Manager, the extension of the connector.minimal.php.dist library file has been changed to .php so that it can be run directly, even if the connector file is not used by the file manager itself. Such libraries often include sample files that are not intended to be used out of the box without setting up access control. As a result, this file has no direct access restrictions, which means that anyone can access it.
NinTechNet researchers write that attackers use an exploit to upload image files to websites that contain hidden web shells. As a result, attackers can use a convenient interface that allows them to run commands in the plugins/wp-file-manager/lib/files/ directory, where the File Manager plugin is located. Although the problem prevents hackers from executing commands outside the named directory, attackers can do a lot of damage by uploading scripts to the vulnerable site that are capable of performing actions in other parts of the vulnerable resource.
According to NinTechNet, hackers are currently using the bug to upload the hardfork.php script to websites, and then use it to inject code into scripts / wp-admin/admin-ajax.php and /wp-includes/user.php.
At the same time, it is noted that attackers seek to protect the vulnerable file with a password (connector.minimal.php) so that other hack groups cannot exploit the vulnerability on already infected sites.
” In the next few hours or days, we will see exactly what they will do next. After all, if they protect a vulnerable file with a password to prevent other hackers from exploiting the vulnerability, they are probably going to return and visit the infected resources again, ”NinTechNet experts say.
Experts from the information security company Wordfence have already this wave of attacks own report. Over the past few days, the company has blocked more than 450,000 attempts to exploit this vulnerability. The researchers write that attackers are trying to embed various files on websites. In some cases, these files were empty (obviously, the hackers were only testing the vulnerability), other malicious files were named hardfork.php, hardfind.php and x.php.
“A file manager plugin like this, allows attackers to manipulate files and upload new ones of their choice right from the WordPress dashboard. It also potentially allows privilege escalation right away. For example, an attacker can gain access to the site's admin panel using a compromised password, then gain access to a vulnerable plugin and load a web shell in order to perform further actions on the server and develop their attack with another exploit, ”writes Wordfence specialist Chloe Chamberland (Chloe Chamberland).
The problem has already been fixed in File Manager versions 6.0 to 6.8. Official WordPress statistics show that approximately 52% of plugin installations are currently vulnerable, i.e. about 350 000 sites.