A Zero-Day Vulnerability is reported in File Manager Plugin for WordPress, a plugin with more than 700,000 active installations; out of which 52% are affected. This vulnerability is being actively exploited. This vulnerability allowed unauthenticated users to execute commands and upload malicious files on a target site. File Manager is a plugin designed to help WordPress administrators manage files on their sites. The plugin contains an additional library, elFinder, which is an open-source file manager designed to create a simple file management interface and provides the core functionality behind the file manager. The File Manager plugin used this library in a way that introduced a vulnerability. The core of the issue began with the File Manager plugin renaming the extension on the elFinder library’s connector.minimal.php.dist file to .php so it could be executed directly, even though the connector file was not used by the File Manager itself. Such libraries often include example files that are not intended to be used “as-is” without adding access controls, and this file had no direct access restrictions, meaning the file could be accessed by anyone. This file could be used to initiate an elFinder command and was hooked to the elFinderConnector.class.php file.The attacks we are seeing in the wild are using the upload command to upload PHP files containing webshells hidden in an image to the wp-content/plugins/wp-file-manager/lib/files/ directory.
WordPress File Manager Plugins 6.0 – 6.8