Advisory Overview
A vulnerability has been discovered in a the popular “File Manager” plugin for the content management system WordPress that can allow an unauthenticated remote attacker to create/move a potentially malicious file on a vulnerable host. This can allow the attacker to either create or remove a file with a malicious payload of their choice to any host running an unpatched version of the File Manager plugin. With this an attacker can execute arbitrary code and cause a wide array of damage dependent on the exact nature of the malicious file. The File Manager plugin has been patched at this time and all users are advised to download as soon as possible.
Technical detail and additional information
What is the threat?
A remote code execution (RCE) vulnerability exists in the popular “File Manager” plugin for WordPress. This vulnerability exploits the fact that the File Manager plugin allows any user to access and send commands to it. In this way, a malicious actor is able to upload malicious files in the File Manager plugin’s file directory (however, they are not able to access any other directories in this manner). This exploit originally stems from leftover code that was incorrectly modified and provided with update v6.4.
Why is this noteworthy?
WordPress is an immensely popular content management system (CMS) that makes it very easy for users to create and host their own custom websites/blogs/applications. Furthermore, there are reportedly 700,000 active installations of this “File Manager” plugin, also making it extremely pervasive among WordPress users. Any non-updated version of File Manager is vulnerable to this exploit, and there are known cases of it being exploited in the wild already. While Wordfence (the WordPress security plugin) created rules to block the uploading of files in this fashion, a workaround was discovered where the malicious actors could send a “mkfile” command in one request, followed by another command that would actually create the malicious file on the host. In response, the File Manager has effectively been temporarily disabled.
What is the exposure or risk?
A malicious actor who exploits this vulnerability could take full control of the affected system and would have access proportionate to the administrative rights of the compromised user account. They would have the ability to move any malicious file into the File Manager plugin’s directory, and of course having an unauthenticated remote user able to add any file to a target host can lead to all manner of vulnerabilities. The exact nature of the damage can vary greatly, but the real risk stems from the simplicity of the exploit. This vulnerability is simple enough to exploit that it has been tracked at over ten thousand attacks per hour at its peak, several days after the patch.
What are the recommendations?
File Manager has been updated and it is strongly recommended that all users update to the latest version (v6.9) at this time to protect themselves against this vulnerability.
References:
For more in-depth information about the recommendations, please visit the following links:
- https://blog.sucuri.net/2020/09/critical-vulnerability-file-manager-affecting-700k-wordpress-websites.html
- https://www.wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin
If you have any questions, please contact our Security Operations Center.