On September 01, 2020, a zero-day vulnerability on a WP (WordPress) File Manager plugin that was said to be installed on more than 700,000 sites was found and patched all within the same day. The vulnerability gives “attackers the ability to upload files and execute code remotely on an affected site” [1] the bug was found by “Seravo” through their WP File Manager when they noticed code in elFinder library. The code was meant to be an example but somehow used on the actual production with the possibility of execution without authentication [2]. Causing concerned Seravo immediately reported the activity to the authors of the WP plugin.
Vulnerability
The discovery of this zero-day vulnerability was found in the elFinder library when the connector.minimal.php.dist file was renamed to .php allowing execution to be done directly without the connector file not being used by the File Manager itself. There was code in the elFinder that was meant to be used as example files unless added access controls were implemented. Since they were example files there were no direct access restrictions which gave anyone the ability to access said files. The unauthenticated file upload gives the attacker the ability to manipulate and upload any malicious files. Wordfence placed a firewall to block targets from exploiting the vulnerability. In doing so they noticed that attackers who were attempting to inject random files the files names would begin with words with “hard” or “x” [3]. The vulnerability affects versions 6.4 – 6.8.
Impact
A drastic amount of web sites has been attacked against this vulnerability after word was put out of the flaw. Wordfence Defiant Incorporation protects over 3 million WordPress sites and has been recording the attacks and received notice of over 1.7 million sites has been affected as of September 04, 2020. “Sites not using this plugin are still being probed by bots looking to identify and exploit vulnerable versions of the File Manager plugin” [4].
Mitigation
A patch was created the same day the vulnerability was discovered which is in the newest Version 6.9 and updating is necessary if one’s site requires consist usage of the WP File Manager. Wordfence suggests looking out for file uploads with words “hard” or “x”. There have been files seen with the following names: hardfork.php, hardfind.php, and x.php that are in fact malicious files. To look for possible files it can be found in /wp-context/plugins/wp-file-manager/lib/files [4]. It is also suggested that if the plugin is not actively being used to uninstall the plugin completely. If available apply a firewall that would be able to protect the File Manager from attacks due to the vulnerability.
Relevance
WordPress File Manager is a popular plugin used amongst many sites which is a reason for why there has been so many recorded attacks. It is important if using WP File Manager that web sites have someone monitoring their File Manager or uninstall the plugin to avoid being exposed to this zero-day vulnerability.