Millions of WordPress sites targeted by File Manager zero-day
A dramatic surge in attacks saw one million sites targeted on 4 September alone
More than 1.7 million sites designed on the WordPress platform have been attacked due to a zero-day vulnerability in the File Manager plugin, with hundreds of thousands more sites likely to be under threat.
Attacks against a flaw in the File Manager plugin surged dramatically towards the end of last week, according to researchers with the Wordfence security plugin, with attacks against one million sites on 4 September alone.
Hackers have been exploiting the flaw in the wild by executing commands to upload malicious files onto target WordPress sites. Analysis by Wordfence’s threat intelligence team showed it was also possible to bypass the in-built file upload protection mechanism.
Although a patch has been released, labelled as version 6.9 of the plugin, as of last Friday there were still 261,800 sites running a vulnerable form of File Manager. Sites not using the plugin are still being probed by bots seeking to exploit vulnerable versions of the app.
Of the three million WordPress sites that Wordfence protects, 1.7 million have been probed for the vulnerability, meaning the true extent of the exploitation is unknown and likely much higher than reported figures.
File Manager is designed to help administrators manage files on their sites, and offers an additional library known as elFinder which is an open-source file manager designed to provide a simple user interface.
The issue centres on the File Manager plugin renaming the extension on the elFinder library 'connector.minimal.php.dist' file to '.php', meaning it can be executed directly - even though the connector file isn’t used by File Manager itself. The file had no direct access restrictions, meaning it could be accessed by anyone.
The attacks that Wordfence researchers have seen in the wild involved hackers using the upload command to upload PHP files containing webshells hidden in an image.
Beyond applying the patch, Wordpress users are being offered an extra layer of protection thanks to an additional firewall rule that prevents all access to ‘connector.minimal.php’.
Wordfence has also recommended that users not actively using the plugin should uninstall it completely to avoid any risk.
-
AI is shrinking attack windows, and it’s forcing a complete rethink of cyber resilience – here’s how organizations can prepareNews Commvault has urged companies to improve their business continuity and resilience plans in the face of flaws spotted by AI
-
Anthropic targets vulnerability detection gains with Claude Security public beta — here's what users can expectNews The Claude Mythos developer is aiming for a more limited approach to cyber tooling for public consumption
-
Researchers warn millions of RDP and VNC servers are wide open to exploitationNews Researchers at Forescout spotted millions of RDP and VNC servers exposed online
-
Brace yourselves for a vulnerability explosion, Forescout warnsNews AI advances are helping identify software flaws at record pace and scale, but that's not the good news some would think
-
Ubuntu vulnerability exposes enterprises to root escalation, complete system compromiseNews The high-severity Ubuntu vulnerability allows an unprivileged local attacker to escalate privileges through the interaction of two standard system components
-
Organizations hit by 90 zero-day vulnerabilities last yearNews Google Threat Intelligence researchers warn that edge devices and security appliances are prime entry points
-
Security agencies issue warning over critical Cisco Catalyst SD-WAN vulnerabilityNews Threat actors have been exploiting the vulnerability to achieve root access since 2023
-
Millions of developers could be impacted by flaws in Visual Studio Code extensions – here's what you need to know and how to protect yourselfNews The VS Code vulnerabilities highlight broader IDE security risks, said OX Security
