WordPress sites running the File Manager plugin are being hounded by hackers, thanks to a critical vulnerability found in some of the plugin versions. Find out what makes this vulnerability so attractive to cybercriminals and how to get rid of it.

WordPress sites running the File Manager plugin are being hounded by hackers, thanks to a critical vulnerability found in some of the plugin versions. The vulnerability allows unauthenticated users — in other words, anyone and everyone — to upload files to the site as well as execute commands within it, provided the users know how to exploit the flaw. Since the vulnerability’s proof of concept code has already been posted on GitHub, many cybercriminals know exactly what to do. “An attacker could potentially do whatever they choose to — steal private data, destroy the site, or use the website to mount further attacks on other sites or the infrastructure,” according to a security researcher at Seravo.

Vulnerabilities on Both Sides

The vulnerability exists in both the free and paid editions of the plugin, according to its developer. “On Tuesday, September 1st at 11:50 am GMT, we became aware of a vulnerability within [our plugin] that affected users using the free WordPress File Manager plugin versions 6.0 to 6.8 and WordPress File Manager Pro plugin versions 7.6 to 7.8,” said the developer. “The File Manager plugin was immediately patched and updated within the hour on September 1st at 12:46 pm GMT.”

File Manager 6.9 (free edition) and File Manager Pro 8.0 (paid edition) include the patch. Security experts are urging users to check which version their WordPress sites are running and upgrade the plugin immediately if it is one of the affected versions. There is good reason for this urgency. Hackers are actively searching the Internet for WordPress sites that use the affected plugins. “This exploit quickly gained popularity,” noted a threat researcher at Sucuri. “We have currently seen hundreds of thousands of requests from malicious actors attempting to exploit it.”

Slow to Upgrade

Plugin users, though, have been slow to upgrade. For example, at the time of this writing, only 25% of the File Manager (free edition) installations are running File Manager 6.9, according to WordPress. More important, 24% of the installations are still using versions 6.0 through 6.8. Since there are more than 600,000 active installations of the free File Manager plugin, this means there are more than 144,000 WordPress sites that can easily be attacked or even hijacked.

The remaining 51% of the File Manager installations are running version 5.9 or earlier, so they are not affected by the vulnerability. However, it is still risky to use these older versions because they might have other vulnerabilities that have not been patched.

If your business has a WordPress site, you need to make sure that it is not running an old version of File Manager or File Manager Pro. We can check the site for you, making sure that all of your installed plugins and themes are the most current version.

Hacker flickr photo by Infosec Images shared under a Creative Commons (BY) license