Hackers exploit critical “zero day” leak affecting more than 350,000 websites

Mark Kraakman Wrote this on 02 September 2020

The leak is in the plugin wp-file-manager and is present in versions 6.0 through 6.8 and affects about 50% of the users of this plugin.

Last update: 02-09 at 10.01

Hackers are actively exploiting a leak that allows them to execute commands and upload rogue files to any website with a vulnerable version of the wp-file-manager plugin. The vulnerability was fixed by the plugin’s developers last night and has since been actively abused on older versions.

Oh crap!!! The WP File Manager vulnerability is SERIOUS. Its spreading fast and I’m seeing hundreds of sites getting infected. Malware is being uploaded to /wp-content/plugins/wp-file-manager/lib/files #WordPress #WordPressMalware #Malware #webhosting #wordpresssecurity
– S.Aguilar (@RipeR81) September 2, 2020

As a website owner, what should you do now?

Update (or uninstall) the wp-file-manager plugin today! The steps:

Log in to your WordPress dashboard (domainname.co.uk/admin)
Click on ‘Plugins’
Under the ‘File Manager’ plugin you will find the text below. Click on ‘Update Now’

Er is een nieuwe versie van File Manager beschikbaar. Details van 6.9 bekijken of nu bijwerken.

The plugin is now updated to the latest version and no longer vulnerable. However, that vulnerability may have already been exploited, so take additional steps to protect your website.

Additional technical information (for IT professionals)

Do you have additional information you would like to share? Send an email to mark@sqr.nl

The leak was first reported last night by website security firm NinTechNet on their blog after the plugin’s developers patched the vulnerability.

The vulnerability allows unauthorized individuals to use the file management plugin by placing an unprotected file in the ‘elFinder’ package, which the plugin uses. NinTechNet has shared a snippet from the access logs of a hacked Web site:

185.222.57.0 - - [31/Aug/2020:21:37:25 +0200] "POST //wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php HTTP/1.1" 200 1085 www.xxxxxxxxx.com "-" "python-requests/2.24.0" "-" 
185.222.57.0 - - [31/Aug/2020:21:37:29 +0200] "POST //wp-content/plugins/wp-file-manager/lib/

This hacker uploaded the file hardfork.php and used that script to inject code into WordPress

/wp-admin/admin-ajax.php

and

/wp-includes/user.php

.
Other files uploaded are hardfork.php, hardfind.php, x.php, sadgafasdf.php and xsdaadf.php

At the time of writing, the leak is being exploited from three ip ranges:

185.222.57.0/24

89.238.178.0/24

74.50.48.0/20

Want to know more about elFinder or how the vulnerability works? Then take a look at this blog post from WordFence.

Register

Domain extensions

Transfer

Premium DNS

SSL certificate

Website

Website

Website migration service

Websitebuilder

WordPress Hosting

Hosting

Hosting

Hosting migration service

Super fast WordPress Hosting

Webhosting

Reseller Hosting

VPS

VPS

VPS Hosting

Configure VPS

NextCloud VPS

Plesk VPS

OnlyOffice Docs VPS

E-Mail

E-Mail

E-Mail migration service

E-Mail Basis

Microsoft 365

Zimbra Open Source

Spam Filter Service

E-Mail Delivery Service

For agencies

Reseller Hosting

Hosting migration service

Hackers exploit critical “zero day” leak affecting more than 350,000 websites

As a website owner, what should you do now?

Additional technical information (for IT professionals)

Share this article

Related Articles

Use SMS as a second factor

Sign up for maintenance notifications using Discord or Teams from now on

🤖 Microsoft Copilot for Microsoft 365 available now

301 redirects now automatically via https

Hungry for news?