WordPress Zero-Day Vulnerability in File Manager Plugin

Several WordPress sites are being probed and attacked in this week over 700000 active installations. This is caused due to the WordPress Zero-Day Vulnerability in File Manager Plugin in WordPress and this will help unauthenticated users to execute commands and upload malicious files on websites. A new patch 6.9 was released on September 1 and this will be a solution for this vulnerability. Wordfence deployed an additional firewall rule for preventing this vulnerability. The Zero-day vulnerability affected plugin details are given below:

We are managing a lot of WordPress websites under our Server Management plan and we will be doing regular updates by our expert engineers to prevent all vulnerabilities.

Description: Remote Code Execution (RCE)
Affected Plugin: File Manager
Plugin Slug : wp-file-manager
Affected Versions: 6.0 - 6.8
CVSS Score: 10.00 (Critical)

Solution :
Patched version: 6.9

File Manager plugin helps WordPress administrators to upload and manage their site files, this plugin contains an additional library, elFinder. The source of the issue starts with the file manager plugin renaming the extension on the elFinder library’s connector.minimal.php.dist file to x.php, so it could be executed directly, even though the connecter file was not used by the File Manager itself. But elFinder has built-in protection against directory traversal.

In this type of library, there are example files that can access by anyone. This file could be used to initiate an elFinder command and was hooked to elFinderConnector.class.php file.

The hackers tried to inject this type of files recently;

1. hardfork.php
2. hardfind.php
3. x.php

If your site were injected by these files you can see in /wp-content/plugins/wp-file-manager/lib/files directory of the WordPress site.

So from here, we can conclude that this zero-day vulnerability in the File Manager plugin can be prevented by updating the plugin to a 6.9 version immediately.