1. Blog/
  2. News and Updates/
  3. Hackers are Exploiting WP File Manager Flaw

Hackers are Exploiting WP File Manager Flaw

Vulnerability in the File Manager WordPress plugin has more than 700,000 active installations & 52% of the users are affected.
Bugs, flaws, and vulnerabilities always welcome hackers regardless of the platform. Recently the bug in the File Manager WordPress plugin allows the hackers to execute different commands & malware scripts on WordPress websites that had installed the File Manager plugin. At the time of attack File Manager plugin has more than 700,000 active installations. The hacking attacks on WordPress websites came after the security bug was patched.

Hackers are using the bug to upload the different web shells that are hidden behind the images. From that point, they found an easy interface that lets them run different malware files and commands in the WordPress directory plugins/wp-file-manager/lib/files/. This is the directory where the files of the WordPress File Manager reside within the hosting.
Whereas the restrictions are stopping the hackers to execute the commands on the files that reside outside the directory. The chances of damage may be increased if the hackers can upload the scripts on the other vulnerable parts of the website.

NinTechNet website in Bangkok Thailand was one of the first security firms that report these attacks. According to them, the attackers were exploiting the File Manager bug to upload the web shell script called “Hardfork.php” & then with the help of this, they are using to inject the WordPress code directory “wp-admin/admin-ajax.php and /wp-admin/includes/users.php.”

Backdooring vulnerable sites at scale

In the reporting email, the NinTechNet CEO narrated that it is a bit too early to tell the exact amount of impact because when we came to know the hacking attack, the hackers were trying to backdoor the websites. But one of the most interesting things that came in the notice is that the hackers were trying to inject code to password-protect access to the bug files. They were doing that because that makes sure that other groups of attackers could not find the vulnerability of the websites they have already infected.

All of the commands they are running in the /lib/files directory to create & delete folder and files but the one of the most crucial issue is that they were able to upload the PHP scripts into the folders too & by running the script, they can do whatever they want to do with the blogs.

Well, till now, they are just uploading “FilesMan” that is another utility program just like File Manager, but the hackers mostly adopt it. In the next few hours or may in days, we will see what exactly they want to do, because as they are using the password-protected vulnerable file that stop the other attackers to explore the vulnerable part of the website that already infected, then it can be expected that they will come back again to visit the infected websites.

While on the other hand, another WordPress security firm Wordfence said that it has successfully blocked more than 450,000 hacking attacks on WordPress websites in the past few days. In their post, they said that the hackers are trying to inject malware files. In most cases, the files they were injecting were empty, most likely, they are trying to attempt the probe for all buggy websites, and if they found success in injecting the empty file, they will inject the malware file later. The files that hackers are trying to inject having names like:Hardfork.phpHardfind.php and x.php.

Chloe Chamberland, the Wordfence security firm researcher, narrated in his Tuesday post that a WordPress plugin like File Manager could make this possible for the hackers to upload any type pf files and let the manipulate anything by merely choosing the direct access to the website dashboard. Above all, it could make them escalate the website privileges for the WordPress admin area. For instance, the hackers can easily access the WordPress admin area by merely using the compromised password and can easily access this plugin and upload any web shell for further penetration into the website server and other stuff.

Potential Damage – 52% of Active Installation (700,000)

The File Manager WordPress plugin allows the WordPress admin to create, upload, and delete the files without accessing the hosting. Within the plugin, you can find another additional file manager called elFinder. It is an open-source library that offers the plugin’s core functionality and the user interface to use the plugin. The bug’s root cause arises from the method of implementing the additional plugin that offers the core functionality.

The root cause of the issue starts with the File Manager renaming the extension available on the elFinder library’s file “connector.minimal.php.dist” to the .php so that the core functionality could be executed directly. However, the connector file of the plugin was not using the plugin itself.

Most of the time, such kind of open source libraries include the example files that are not purposely to be used without adding any access controls. These files have no direct access controlling mechanism that means it is open to access by anyone. This file is used to initialize the elFinder command and was places in the elFinderConnector.class.php file.
Sal Aguilar wrote that the WP File Manager bug is CRITICAL. It is spreading across the community fastly, and I can see hundreds of websites are getting infected every hour. Malware is being uploaded into the directory “/wp-content/plugins/wp-file-manager/lib/files”.

The File Manager Version ranging from 6.0 to 6.8 having the security flaw. According to the WordPress statistics, 52% of the active installation is buggy. More than half of the 700,000 active installations the websites are vulnerable. The damage potential is high. If you are running WP File Manager version 6.0 to 6.8, you must updateit to 6.9 as soon as possible.