Hackers Actively Exploiting Severe Bug In Over 300K WordPress Sites

Hackers Actively Exploiting Severe Bug In Over 300K WordPress Sites

Hackers are actively exploiting a critical remote code execution vulnerability allowing unauthenticated attackers to upload scripts and execute arbitrary code on WordPress sites running vulnerable File Manager plugin versions.

On the morning of September 1st, Seravo’s on-call security officer Ville Korhonen was the first to discover the flaw and the fact that threat actors were already attempting to exploit it in attacks designed to upload malicious PHP files onto vulnerable websites.

Within hours after Korhonen spotted the attacks and reported the vulnerability to the plugin’s developer, File Manager‘s devs patched the severe flaw with the release of versions 6.9.

The File Manager plugin is currently installed on more than 700,000 WordPress sites and the vulnerability impacts all versions between 6.0 and 6.8.

450,000 sites already probed

Wordfence researchers were also informed of this ongoing attack on the morning of September 1st by Arsys’s Gonzalo Cruz, who provided them with a working proof of concept, allowing them to look into how to block the attacks.

The WordPress security company later said that the Wordfence Web Application Firewall was able to block out over 450,000 exploit attempts during the last several days.

Wordfence said that the hackers are trying to upload PHP files with webshells concealed within images to the wp-content/plugins/wp-file-manager/lib/files/ folder.

They were also seen first probing potentially vulnerable sites with empty files and, only if the attack is successful, trying to inject the malicious scripts.

NinTechNet, who also reported the exploit attempts, said the attackers are attempting to upload a malicious hardfork.php script which allows them to inject malicious code within the WordPress sites’ /wp-admin/admin-ajax.php and /wp-includes/user.php scripts.

What makes the attacks even more interesting is that the hackers will also immediately try to prevent others from compromising an already infected site by password protecting the files exposed to writing by the File Manager vulnerability.

Also read: 10 Tips For Drafting Key Terms In A Service Agreement

Over 300,000 sites still vulnerable to attacks

“A file manager plugin like this would make it possible for an attacker to manipulate or upload any files of their choosing directly from the WordPress dashboard, potentially allowing them to escalate privileges once in the site’s admin area,” Chloe Chamberland, Wordfence’s Director of Information Security explained.

“For example, an attacker could gain access to the admin area of the site using a compromised password, then access this plugin and upload a webshell to do further enumeration of the server and potentially escalate their attack using another exploit.”

File Manager’s dev team addressed the actively exploited critical vulnerability with the release of File Manager 6.9 yesterday morning.

However, the plugin has only been downloaded just over 126,000 times — including both updates and new installs — within the last two days based on historic download data available on the WordPress plugin portal, leaving 574,000 WordPress sites potentially exposed.

Luckily, only 51,5% of all sites with active File Manager plugin installation (amounting to more than 300,000 websites) are running a vulnerable version that could allow the attackers to execute arbitrary code after successful exploitation.

File Manager users are recommended to immediately update the plugin to version 6.9 as soon as possible to block the ongoing attacks.

Update: Attributed the discovery of the zero-day to Seravo’s Ville Korhonen who reported the flaw and ongoing attacks to the plugin’s authors.

Also read: How To Make A PDPC Complaint: With Its Importance And Impact