Hackers exploit critical “zero day” leak affecting more than 350,000 websites

The leak is in the plugin wp-file-manager and is present in versions 6.0 through 6.8 and affects about 50% of the users of this plugin.

Last update: 02-09 at 10.01

Hackers are actively exploiting a leak that allows them to execute commands and upload rogue files to any website with a vulnerable version of the wp-file-manager plugin. The vulnerability was fixed by the plugin’s developers last night and has since been actively abused on older versions.

As a website owner, what should you do now?

Update (or uninstall) the wp-file-manager plugin today! The steps:

  • Log in to your WordPress dashboard (domainname.co.uk/admin)
  • Click on ‘Plugins’
  • Under the ‘File Manager’ plugin you will find the text below. Click on ‘Update Now’

Er is een nieuwe versie van File Manager beschikbaar. Details van 6.9 bekijken of nu bijwerken.

The plugin is now updated to the latest version and no longer vulnerable. However, that vulnerability may have already been exploited, so take additional steps to protect your website.

Additional technical information (for IT professionals)

Do you have additional information you would like to share? Send an email to mark@sqr.nl

The leak was first reported last night by website security firm NinTechNet on their blog after the plugin’s developers patched the vulnerability.

The vulnerability allows unauthorized individuals to use the file management plugin by placing an unprotected file in the ‘elFinder’ package, which the plugin uses. NinTechNet has shared a snippet from the access logs of a hacked Web site:

185.222.57.0 - - [31/Aug/2020:21:37:25 +0200] "POST //wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php HTTP/1.1" 200 1085 www.xxxxxxxxx.com "-" "python-requests/2.24.0" "-" 
185.222.57.0 - - [31/Aug/2020:21:37:29 +0200] "POST //wp-content/plugins/wp-file-manager/lib/

This hacker uploaded the file hardfork.php and used that script to inject code into WordPress

/wp-admin/admin-ajax.php
and
/wp-includes/user.php
.
Other files uploaded are hardfork.php, hardfind.php, x.php, sadgafasdf.php and xsdaadf.php

At the time of writing, the leak is being exploited from three ip ranges:

185.222.57.0/24
89.238.178.0/24
74.50.48.0/20

Want to know more about elFinder or how the vulnerability works? Then take a look at this blog post from WordFence.

 

Hungry for news?

Subscribe to the Hosting.NL newsletter and stay informed. Your data will be used to send news, technical updates, and support articles.

Newsletter