Ville Korhonenen, an on-call security officer for Seravo, discovered a severe vulnerability in a WordPress plugin being exploited against several customers on Tuesday. An investigation uncovered a zero-day for the WordPress plugin WP File Manager being used in the wild that could allow any remote, unauthenticated attacker to upload files and execute code. WP File Manager had over 700,000 active installations at the time of discovery yesterday and can be found just by browsing the popular plugins page on the official WordPress site. When looking into the traffic logs for affected sites, Seravo discovered that a POST request was being made to WP File Manager’s “lib/php/connector.minimal.php”. This file contained example code from the open source “elFinder” project, not meant to be used in production websites. Seravo quickly reported the flaw to the plugin authors and it was updated the same day.
Any WordPress admins running the WP File Manager plugin, free or paid, are advised to update to version 6.9 as soon as possible. WordPress plugins are a popular target for exploitation due to the open nature of WordPress allowing anyone to create one and submit to have their plugin officially hosted. WordPress and plugin installations should be updated regularly to stay on top of security updates like this one. Binary Defense recommends also performing a regular audit of installed plugins with the goal of removing any unused ones.