Developers have updated the WordPress plugin File Manager to fix a critical vulnerability that could have allowed hackers to gain complete access to nearly 700 thousand WordPress websites.
The unauthenticated file upload vulnerability could allow an attacker to upload malicious files on WordPress sites running older versions of the File Manager Plugin.
The problem stemmed after a renamed file, originally provided by a third-party dependency elFinder, was accidentally added to the project instead of being kept as a local file. Unfortunately, the File Manager development team renamed the reference file as “.php” during development.
“This change allowed any unauthenticated user to directly access this file and execute arbitrary commands to the library, including uploading and modifying files, ultimately leaving the website vulnerable to a complete takeover,” Antony Garand from Sucuri warned in a blog post.
Sucuri also observed hundreds of thousands of malicious probes attempting to exploit the plugin vulnerability.
“The first attack we noticed was on August 31st, one day before the plugin was updated, with an average of 1.5k attacks per hour. On September 1st, we had an average of 2.5k attacks per hour, and on September 2nd we had peaks of over 10k attacks per hour,” Sucuri added.
The File Manager plugin was patched with release version 6.9 on September 1, shortly after the attacks were first observed.
WordPress administrators should update the plugin to latest version as soon as possible.