Skip to main content

Security flaw in WordPress File Manager Plugin.

The critical vulnerability has been utilized in hundreds of thousands of attacks.

The developers of the WordPress File Manager plugin have patched an actively-exploited security issue permitting full website hijacking.  

According to the Sucuri WordPress security team, the vulnerability emerged in version 6.4 of the software, which is used as an alternative to FTP in managing file transfers, copying, deletion, and uploads. 

File Manager accounts for over 700,000 active installations. 

In version 6.4, released on May 5, a file was renamed in the plugin for development and testing purposes. However, rather than being kept as a local change, the renamed file was accidentally added to the project. 

See also: KingComposer patches XSS flaw impacting 100,000 WordPress websites

The file in question was pulled by third-party dependency elFinder and used as a code reference. An extension added to the file, the rename of connector-minimal.php-dist to connector-minimal.php, was a small tweak -- but was enough to trigger a critical vulnerability in the popular plugin. 

ElFinder's script, as a file manager, grants users elevated privileges for modifying, uploading, and deleting files. As the system is focused on ease of use, to set the elFinder file manager up, it takes nothing more than changing the file's extension from .php-dist to .php -- and so the avenue for attacks was opened.

Need help in securing your WordPress Website? Visit WordPress Updates

  • Created on .
  • Hits: 18636