1. Blog/
  2. News and Updates/
  3. Hackers are Exploiting WP File Manager Flaw

Hackers are Exploiting WP File Manager Flaw

Vulnerability in the File Manager WordPress plugin has more than 700,000 active installations & 52% of the users are affected.
Bugs, flaws, and vulnerabilities always welcome hackers regardless of the platform. Recently the bug in the File Manager WordPress plugin allows the hackers to execute different commands & malware scripts on WordPress websites that had installed the File Manager plugin. At the time of attack File Manager plugin has more than 700,000 active installations. The hacking attacks on WordPress websites came after the security bug was patched.

Hackers are using the bug to upload the different web shells that are hidden behind the images. From that point, they found an easy interface that lets them run different malware files and commands in the WordPress directory plugins/wp-file-manager/lib/files/. This is the directory where the files of the WordPress File Manager reside within the hosting.
Whereas the restrictions are stopping the hackers to execute the commands on the files that reside outside the directory. The chances of damage may be increased if the hackers can upload the scripts on the other vulnerable parts of the website.

NinTechNet website in Bangkok Thailand was one of the first security firms that report these attacks. According to them, the attackers were exploiting the File Manager bug to upload the web shell script called “Hardfork.php” & then with the help of this, they are using to inject the WordPress code directory “wp-admin/admin-ajax.php and /wp-admin/includes/users.php.”

Backdooring vulnerable sites at scale

In the reporting email, the NinTechNet CEO narrated that it is a bit too early to tell the exact amount of impact because when we came to know the hacking attack, the hackers were trying to backdoor the websites. But one of the most interesting things that came in the notice is that the hackers were trying to inject code to password-protect access to the bug files. They were doing that because that makes sure that other groups of attackers could not find the vulnerability of the websites they have already infected.

All of the commands they are running in the /lib/files directory to create & delete folder and files but the one of the most crucial issue is that they were able to upload the PHP scripts into the folders too & by running the script, they can do whatever they want to do with the blogs.

Well, till now, they are just uploading “FilesMan” that is another utility program just like File Manager, but the hackers mostly adopt it. In the next few hours or may in days, we will see what exactly they want to do, because as they are using the password-protected vulnerable file that stop the other attackers to explore the vulnerable part of the website that already infected, then it can be expected that they will come back again to visit the infected websites.

While on the other hand, another WordPress security firm Wordfence said that it has successfully blocked more than 450,000 hacking attacks on WordPress websites in the past few days. In their post, they said that the hackers are trying to inject malware files. In most cases, the files they were injecting were empty, most likely, they are trying to attempt the probe for all buggy websites, and if they found success in injecting the empty file, they will inject the malware file later. The files that hackers are trying to inject having names like:Hardfork.phpHardfind.php and x.php.

Chloe Chamberland, the Wordfence security firm researcher, narrated in his Tuesday post that a WordPress plugin like File Manager could make this possible for the hackers to upload any type pf files and let the manipulate anything by merely choosing the direct access to the website dashboard. Above all, it could make them escalate the website privileges for the WordPress admin area. For instance, the hackers can easily access the WordPress admin area by merely using the compromised password and can easily access this plugin and upload any web shell for further penetration into the website server and other stuff.

Potential Damage – 52% of Active Installation (700,000)

The File Manager WordPress plugin allows the WordPress admin to create, upload, and delete the files without accessing the hosting. Within the plugin, you can find another additional file manager called elFinder. It is an open-source library that offers the plugin’s core functionality and the user interface to use the plugin. The bug’s root cause arises from the method of implementing the additional plugin that offers the core functionality.

The root cause of the issue starts with the File Manager renaming the extension available on the elFinder library’s file “connector.minimal.php.dist” to the .php so that the core functionality could be executed directly. However, the connector file of the plugin was not using the plugin itself.

Most of the time, such kind of open source libraries include the example files that are not purposely to be used without adding any access controls. These files have no direct access controlling mechanism that means it is open to access by anyone. This file is used to initialize the elFinder command and was places in the elFinderConnector.class.php file.
Sal Aguilar wrote that the WP File Manager bug is CRITICAL. It is spreading across the community fastly, and I can see hundreds of websites are getting infected every hour. Malware is being uploaded into the directory “/wp-content/plugins/wp-file-manager/lib/files”.

The security flaw in the File Manager WordPress plugin discovered in June 2019 had a far-reaching impact, affecting more than 700,000 active installations. Approximately 52% of the users were affected, making it one of the most significant data security breaches in recent times.

This vulnerability allowed hackers to execute various commands and upload malicious scripts on WordPress websites that had installed the File Manager plugin. The attackers exploited this flaw by uploading web shells hidden behind images, enabling them to run different malware files and commands within the WordPress directory “plugins/wp-file-manager/lib/files/.” This directory hosts the files for the WordPress File Manager.

While the directory restrictions prevented hackers from executing commands on files outside it, the potential for damage increased if they could upload scripts to other vulnerable parts of the website.

NinTechNet, a security firm in Bangkok, Thailand, was among the first to report these attacks. They revealed that attackers were leveraging the File Manager bug to upload the web shell script “Hardfork.php” and then injecting it into the WordPress code directory, specifically “wp-admin/admin-ajax.php” and “/wp-admin/includes/users.php.”

One notable aspect of these attacks was the hackers’ attempt to password-protect access to the bugged files. This tactic aimed to ensure that other malicious groups could not discover and exploit the vulnerability in websites already compromised.

Commands executed within the “/lib/files” directory allowed the hackers to create and delete folders and files. However, the critical issue was their ability to upload PHP scripts into these folders. By running these scripts, the hackers could perform various actions on the compromised websites.

One commonly uploaded utility program was “FilesMan,” similar to File Manager but favored by hackers. Their intentions remain unclear, but by employing password protection, they sought to safeguard their access to infected websites from other cybercriminals.

Another WordPress security firm, Wordfence, reported successfully blocking over 450,000 hacking attacks on WordPress websites in recent days. Hackers were attempting to inject malware files, often starting with empty files as probes to identify vulnerable websites. Some of the file names hackers were attempting to inject included “Hardfork.php,” “Hardfind.php,” and “x.php.”

A key concern is the substantial potential damage, with 52% of active installations (over 700,000 websites) being vulnerable. The File Manager plugin allows WordPress admins to manage files without accessing the hosting environment directly. The bug’s origin lies in the way the plugin implements additional core functionality from the elFinder library. This critical issue stemmed from the renaming of the elFinder library’s file “connector.minimal.php.dist” to .php, enabling the execution of core functionality directly.

Most open-source libraries, like elFinder, contain example files that lack access controls, making them open to anyone. These files initialize elFinder commands and are placed within the elFinderConnector.class.php file.

It is essential for users to update their File Manager WordPress plugin to version 6.9 if they are currently using versions 6.0 to 6.8. This update is critical to prevent potential security breaches and safeguard vulnerable websites.

The security flaw in the File Manager WordPress plugin discovered in June 2019 had a far-reaching impact, affecting more than 700,000 active installations. Approximately 52% of the users were affected, making it one of the most significant data security breaches in recent times.

This vulnerability allowed hackers to execute various commands and upload malicious scripts on WordPress websites that had installed the File Manager plugin. The attackers exploited this flaw by uploading web shells hidden behind images, enabling them to run different malware files and commands within the WordPress directory “plugins/wp-file-manager/lib/files/.” This directory hosts the files for the WordPress File Manager.

File Manager WordPress plugin

While the directory restrictions prevented hackers from executing commands on files outside it, the potential for damage increased if they could upload scripts to other vulnerable parts of the website.

NinTechNet, a security firm in Bangkok, Thailand, was among the first to report these attacks. They revealed that attackers were leveraging the File Manager bug to upload the web shell script “Hardfork.php” and then injecting it into the WordPress code directory, specifically “wp-admin/admin-ajax.php” and “/wp-admin/includes/users.php.”

One notable aspect of these attacks was the hackers’ attempt to password-protect access to the bugged files. This tactic aimed to ensure that other malicious groups could not discover and exploit the vulnerability in websites already compromised.

Commands executed within the “/lib/files” directory allowed the hackers to create and delete folders and files. However, the critical issue was their ability to upload PHP scripts into these folders. By running these scripts, the hackers could perform various actions on the compromised websites.

One commonly uploaded utility program was “FilesMan,” similar to File Manager but favored by hackers. Their intentions remain unclear, but by employing password protection, they sought to safeguard their access to infected websites from other cybercriminals.

Another WordPress security firm, Wordfence, reported successfully blocking over 450,000 hacking attacks on WordPress websites in recent days. Hackers were attempting to inject malware files, often starting with empty files as probes to identify vulnerable websites. Some of the file names hackers were attempting to inject included “Hardfork.php,” “Hardfind.php,” and “x.php.”

A key concern is the substantial potential damage, with 52% of active installations (over 700,000 websites) being vulnerable. The File Manager plugin allows WordPress admins to manage files without accessing the hosting environment directly. The bug’s origin lies in the way the plugin implements additional core functionality from the elFinder library. This critical issue stemmed from the renaming of the elFinder library’s file “connector.minimal.php.dist” to .php, enabling the execution of core functionality directly.

Most open-source libraries, like elFinder, contain example files that lack access controls, making them open to anyone. These files initialize elFinder commands and are placed within the elFinderConnector.class.php file.

It is essential for users to update their File Manager WordPress plugin to version 6.9 if they are currently using versions 6.0 to 6.8. This update is critical to prevent potential security breaches and safeguard vulnerable websites.

The File Manager Version ranging from 6.0 to 6.8 having the security flaw. According to the WordPress statistics, 52% of the active installation is buggy. More than half of the 700,000 active installations the websites are vulnerable. The damage potential is high. If you are running WP File Manager version 6.0 to 6.8, you must updateit to 6.9 as soon as possible.