A vulnerability has affected the popular WordPress Plugin File Manager. This plugin is currently active on 600,000 WordPress sites. The plugin was active on more sites than 700,000 websites when they were probed and attacked.
The attacks occurred after the hackers discovered a zero-day vulnerability in the plugin. The zero-day was an unrecognized file upload vulnerability that allowed an attacker. To upload malicious files to a site running an older version of the File Manager plugin.
It’s unclear how hackers discovered the zero-day, but since they began sampling sites where this plugin might be installed earlier this week.
If a probe were successful, the attackers would exploit the zero-day. And upload a web shell disguised onto the victim’s server inside an image file. Then the attackers would have access to the web shell. And take over the site of the victim, ensnaring it inside a botnet.
Many websites have been attacked
“Attacks against this vulnerability have risen dramatically over the last few days,” said Ram Gall, Threat Analyst at Defiant.
The attacks began slowly, but intensified throughout the week, with Defiant recording attacks only on Friday, September 4, against 1 million WordPress sites.
In total, Gall says Defiant has been blocking attacks on more than 1.7 million sites since September 1, when the attacks first came to light.
The figure of 1.7 million is more than half the number of WordPress sites which use the Wordfence web firewall. Gall believes that the true scale of the attacks is even bigger as WordPress installed on hundreds of millions of sites. All of which are likely to be sampled and hacked gradually.
The good news is that on the same day it learned of the attacks. The vulnerability within the plugin that affected users using the free File Manager versions 6.0 to 6.8 and File Manager Pro versions 7.6 to 7.8. The File Manager plugin was immediately patched and updated within the hour on September 1st at 12:46pm GMT.
Moreover, It is this patching slowness that has driven the WordPress developer team. Recently to add an auto-update feature for WordPress themes and plug-ins. Starting with WordPress 5.5, released last month. Website owners can configure plugins and themes to auto-update each time a new update is out. And make sure their websites always run the latest version of a theme or plugin and are safe from attacks.
You may also like: