The developers of the WordPress File Manager plugin have patched an actively-exploited security issue permitting full website hijacking.
According to the Sucuri WordPress security team, the vulnerability emerged in version 6.4 of the software, which is used as an alternative to FTP in managing file transfers, copying, deletion, and uploads.
File Manager accounts for over 700,000 active installations.
In version 6.4, released on May 5, a file was renamed in the plugin for development and testing purposes. However, rather than being kept as a local change, the renamed file was accidentally added to the project.
See also: KingComposer patches XSS flaw impacting 100,000 WordPress websites
The file in question was pulled by third-party dependency elFinder and used as a code reference. An extension added to the file, the rename of connector-minimal.php-dist to connector-minimal.php, was a small tweak — but was enough to trigger a critical vulnerability in the popular plugin.
ElFinder’s script, as a file manager, grants users elevated privileges for modifying, uploading, and deleting files. As the system is focused on ease of use, to set the elFinder file manager up, it takes nothing more than changing the file’s extension from .php-dist to .php — and so the avenue for attacks was opened.
While using the file as a reference may have helped the team locally test features, the researchers say that leaving such a script — intentionally designed to not check access permissions — in a public build causes a “catastrophic vulnerability if this file is left as-is on the deployment.”
“This change allowed any unauthenticated user to directly access this file and execute arbitrary commands to the library, including uploading and modifying files, ultimately leaving the website vulnerable to a complete takeover,” Sucuri says.
The solution, included in version 6.9, is simple enough: simply delete the file — which was never part of the plugin’s functionality anyway — and other unused .php-dist files.
CNET: Appeals court finds NSA’s bulk phone data collection was unlawful
However, a week before the file was removed, a Proof-of-Concept (PoC) code was released on code repository GitHub, leading to a wave of attacks against websites before version 6.9 was made available.
Sucuri says the exploit rapidly gained traction. The first attack was spotted on August 31, a day before a fixed version of the file manager was released. This ramped up to roughly 1,500 attacks per hour, and a day later, this increased to an average of 2,5000 attacks every 60 minutes. By September 2, the team saw roughly 10,000 attacks per hour.
In total, Sucuri has tracked “hundreds of thousands of requests from malicious actors attempting to exploit it.”
TechRepublic: Organizations facing nearly 1,200 phishing attacks each month
While the vulnerability has now been resolved, at the time of writing, only 6.8% of WordPress websites have updated to the new, patched version of the plugin, leaving many websites open to compromise.
In July, a reflected XSS vulnerability was patched in KingComposer, a WordPress plugin for drag-and-drop page creation. The bug, CVE-2020-15299, was caused by a dormant Ajax function that could be abused to deploy malicious payloads.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0