Some 700,000 WordPress sites thought to be impacted by remote code execution bug

WordPress security: Zero-day flaw in File Manager plugin actively exploited

UPDATED Users of File Manager, a popular WordPress plugin, have been urged to update to the latest version amid the active exploitation of a critical zero-day vulnerability.

The remote code execution (RCE) flaw, which was assigned the highest possible CVSS score of 10, allows unauthenticated attackers to execute arbitrary code and upload malicious files on vulnerable websites.

The flaw was unearthed by Ville Korhonen, systems team lead at Finnish WordPress hosting company Seravo, who documented the discovery in a blog post.

“An attacker could potentially do whatever they choose to – steal private data, destroy the site or use the website to mount further attacks on other sites or the infrastructure,” said Korhonen.

File Manager, which helps WordPress administrators organize files on their sites, has more than 700,000 active installations.

Indicators of compromise

A firewall deployed by Wordfence has blocked over 450,000 exploit attempts targeting the vulnerability in recent days, according to a blog post published by the WordPress security outfit yesterday (September 1).

Attackers appear to be probing for the flaw by attempting to inject empty files, the company said.

Wordfence has advised users to check files within File Manager for indicators of compromise that include the files hardfork.php, hardfind.php, x.php, and six IP addresses frequently used by attackers.

Miscreants “are using the upload command to upload PHP files containing webshells hidden in an image to the wp-content/plugins/wp-file-manager/lib/files/ directory”, said Chloe Chamberland, a threat analyst at Wordfence.

Wordfence was alerted to evidence of in-the-wild exploitation yesterday by Gonzalo Cruz from web hosting firm Arsy.


The vulnerability was found in elFinder, an open source file manager used by the plugin.

“The core of the issue began with the File Manager plugin renaming the extension on the elFinder library’s connector.minimal.php.dist file to .php so it could be executed directly, even though the connector file was not used by the File Manager itself,” explained Chamberland.

“Such libraries often include example files that are not intended to be used ‘as-is’ without adding access controls, and this file had no direct access restrictions, meaning the file could be accessed by anyone. This file could be used to initiate an elFinder command and was hooked to the elFinderConnector.class.php file.”

RELATED Virtual shoplifting: Critical flaw found in WooCommerce extension NAB Transact

She continued: “Any parameters sent in a request to connector.minimal.php would be processed by the run() function in the elFinderConnector.class.php file, including the command that was supplied in the cmd parameter.”

Thankfully, she added, “elFinder has built-in protection against directory traversal”, so an attacker would be unable to execute malicious commands outside of the plugin’s file directory.

The vulnerability is present in File Manager versions 6.0-6.8 and was patched in version 6.9, which was released by the plugin’s developer, Canada-based Webdesi9, a few hours after being alerted to the flaw by Seravo.

‘Serious problems’

File management and other utility plugins typically “contain several features that if exposed within the admin area of your WordPress installation, could cause serious problems,” said Chamberland.

This includes attackers manipulating files or uploading malicious files “directly from the WordPress dashboard, potentially allowing them to escalate privileges once in the site’s admin area.

“For example, an attacker could gain access to the admin area of the site using a compromised password, then access this plugin and upload a webshell to do further enumeration of the server and potentially escalate their attack using another exploit.”

Wordfence therefore recommends that users uninstall utility plugins “when they are not in use, so that they do not create an easy intrusion vector for attackers to escalate their privileges”.

This article was updated on September 2 to credit Ville Korhonen of Seravo with finding the flaw and add a comment from the researcher

RECOMMENDED WordPress 5.5 rolls out with auto-updates for plugins, themes