Security News > 2020 > September > WordPress 'File Manager' Plugin Patches Critical Zero-Day Exploited in Attacks

The highly popular WordPress plugin File Manager this week received a patch to address an actively exploited zero-day vulnerability.

Designed to provide WordPress site admins with copy/paste, edit, delete, download/upload, and archive functionality for both files and folders, File Manager has over 700,000 active installs.

The hosting service says that File Manager versions prior to 6.9 are affected and that disabling the plugin does not prevent exploitation.

"We urgently advice everybody using anything less than the latest WP File Manager version 6.9 to update to the latest version or alternatively uninstall the plugin," Seravo says.

The issue was found to reside in code taken from the elFinder project, a framework meant to provide web apps with file explorer GUI. The code was published as an example, but was added to the WordPress plugin, providing attackers with unauthenticated access to file upload. According to Wordfence, the plugin renamed "The extension on the elFinder library's connector.minimal.php.dist file to.php so it could be executed directly, even though the connector file was not used by the File Manager itself."

News URL

http://feedproxy.google.com/~r/Securityweek/~3/iuDFFKdlZMM/wordpress-file-manager-plugin-patches-critical-zero-day-exploited-attacks