Last week, a flaw in the WP File Manager plugin for WordPress was discovered being abused in the wild. It was quickly reported and subsequently patched by the developers on the same day. Fast forward one week later and, as of yesterday, over 2.6 million sites have been attacked in an attempt to exploit this plugin before the site administrator’s update. At least one successful attacker has been modifying the vulnerable file to lock out other exploit attempts, also adding $content=”by bajatax” to the code. At least one other actor has been identified exploiting the plugin as well, due to a consistently found password hash used to lock out other exploitation attempts. Once a site has been infected, “bajatax” uses the Telegram API to send stolen credentials of any user attempting to log into the site.
If you’re outside the security industry, you probably think of a cybercriminal as they are