2 min read

WordPress Websites Attacked via File Manager Plugin Vulnerability

Graham CLULEY

September 02, 2020

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
WordPress Websites Attacked via File Manager Plugin Vulnerability
  • Websites are being hijacked by hackers exploiting plugin vulnerability
  • Hackers password-protect compromised sites to keep out rival attackers
  • At-risk websites advised to update WordPress File Manager plugin immediately.

Hackers are exploiting a critical vulnerability that may be affecting hundreds of thousands of websites running WordPress.

The vulnerability – first discovered by Finnish hosting provider Seravo – lies in versions of the popular third-party plugin WordPress File Manager, which has been installed on over 700,000 websites.

WordPress File Manager bills itself as a tool to make it simple for webmasters to upload, edit, archive, and delete files and folders on their website’s backend.

But hackers have found a way to exploit version 6.8 and below of WordPress File Manager to inject malicious code onto websites without authorisation, creating backdoors for future abuse.

As security researchers at NinTechNet describe, one interesting aspect of the attack is that the hackers are injecting code into the websites they compromise to password-protect access via the flaw – thus preventing other hacking groups from exploiting the same vulnerability.

WordPress security firm Wordfence says that it has blocked over 450,000 exploit attempts in the last several days.

In a blog post, Wordfence’s Chloe Chamberland describes the potential impact of an attack:

“A file manager plugin like this would make it possible for an attacker to manipulate or upload any files of their choosing directly from the WordPress dashboard, potentially allowing them to escalate privileges once in the site’s admin area.” “For example, an attacker could gain access to the admin area of the site using a compromised password, then access this plugin and upload a webshell to do further enumeration of the server and potentially escalate their attack using another exploit.”

The makers of WordPress File Manager, issued an update (version 6.9) on September 1st that resolves the security issue, but hundreds of thousands of websites are still thought to be running out-of-date vulnerable versions of the plugin.

It should go without saying that anyone running a website should be very selective about what third-party plugins they install, keep a keen eye on security updates, and apply them as necessary.

The latest versions of WordPress includes an ability to automatically update third-party plugins like WordPress File Manager when new updates are released, although this may not be a feature that is desirable on every website.

If your website was compromised you are advised to reinstall WordPress to clean-up possibly infected core files, and change the passwords to databases and all users with administrator privileges.

tags


Author



Right now

Top posts

What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read
Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

July 07, 2022

5 min read
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read
Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

June 22, 2022

1 min read
Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

May 24, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Chinese criminals scam kids desperate to play games for more than three hours a week Chinese criminals scam kids desperate to play games for more than three hours a week
Graham CLULEY

August 12, 2022

2 min read
Sophisticated Smishing Attack on Twilio Leads to Employee Credential Leak and Data Breach Sophisticated Smishing Attack on Twilio Leads to Employee Credential Leak and Data Breach
Silviu STAHIE

August 09, 2022

1 min read
Attackers Hit German Chambers of Industry and Commerce; All Digital Services Down Attackers Hit German Chambers of Industry and Commerce; All Digital Services Down
Silviu STAHIE

August 05, 2022

1 min read