WordPress is the most commonly attacked platform in the world wide web due to its massive user base. Now, the content management system has once again come under the scanner for a vulnerability that can be exploited to take of a WordPress powered website.
The zero-day vulnerability was in the File Manager plugin that has been installed in over 700,000 sites. It lets users manage file transfers, uploads, copy and deletion as an alternative to FTP (file transfer protocol). But its 6.4 version that was released on May 5, 2020, allowed hackers to exploit upload malicious files without authentication.
"A file manager plugin like this would make it possible for an attacker to manipulate or upload any files of their choosing directly from the WordPress dashboard, potentially allowing them to escalate privileges once in the site's admin area," said Chloe Chamberland, Director of Information Security at Wordfence, an endpoint firewall provider.
Millions of Websites Affected
The vulnerability in the 6.4 version was rather a result of carelessness. During the development and testing of a file (connector-minimal.php), it was renamed to connector-minimal.php-dist. But accidentally the file was added to the final version rather than keeping it as a local change.
While it's unknown how the hackers found the vulnerability, they had to just rename the file to connector-minimal.php to exploit the widespread plugin. So far, hackers have searched for the plugin in millions of websites. If the plugin was installed, hackers could exploit the issue and upload a malicious script (also known as web shell) that would be hidden inside a file. The attacker then can take over the site.
"Looks like there is Zero-Day Vulnerability with WP File Manager. My site got hacked and some of my URLs are redirecting to other pages. I don't know what they changed and how to fix it. Anyone knows how to fix it?" a user asked in WordPress' forum.
Ram Gall, a WordPress threat analyst at Defiant, told ZDNet that attacks against the particular vulnerability had risen dramatically over the last few days with the company recording over a million attacks on September 4 alone. Gall said that his company blocked over 1.7 million attacks since September 1 when it was first noticed. But he believes the number of attacks would be much bigger as hundreds of millions of sites use WordPress.
However, the uploader of the plugin has since released an updated version (6.9) fixing the vulnerability. While over 600,000 users have already patched the plugin, many haven't, leaving their sites vulnerable to such attacks. To eliminate the sluggish nature of updating, the WordPress developer team has recently launched an auto-update option. The feature would automatically update plugins as soon as they are available.
"We take security very seriously, and apologize to our community for any inconvenience or issues that have been caused. We urge users to update to the latest version immediately since it contains a patch for this vulnerability and will keep you protected," said the plugin's creator, who goes by mndpsingh287 pseudonym on WordPress forum.