A critical vulnerability in a popular WordPress plugin called WP File Manager was spotted on Tuesday and was quickly patched by the plugin's developers.
But the flaw, which allows arbitrary file uploads and remote code execution on WordPress websites, is already being actively exploited.
The WPScan WordPress Vulnerability Database, alerted to the bug by Finland-based WordPress service provider Seravo, says that there have been multiple WordPress sites compromised as a result of the zero-day hole in WP File Manager.
According to Securi threat vetter Anthony Garand, a WP File Manager developer renamed a file during local testing of version 6.4 and then accidentally added it to the project. The file, part of an open source library called elFinder, had a .php.dist extension that got changed to .php so it would be executable.
"This change allowed any unauthenticated user to directly access this file and execute arbitrary commands to the library, including uploading and modifying files, ultimately leaving the website vulnerable to a complete takeover," Garand explains in a blog post.
Jerome Bruandet, CEO of Thailand-based web security biz NinTechNet, also posted about the bug and said he's aware of attempts to exploit the vulnerability.
"It is actively exploited as we're still seeing today many attempts to exploit the vulnerability," he said in an email to The Register. "A lot of websites were attacked but we can't know yet how many because some users won't notice they were hacked before several days."
Severe vuln in WordPress plugin Profile Builder would happily hand anyone the keys to your kingdomREAD MORE
Bruandet said the attacks were detected quickly, which has helped limit the damage, but added that the bug is critical because the vulnerable script can be accessed directly, without loading WordPress and even if the plugin has been deactivated.
WP File Manager has more than 700,000 active installations and WordPress admins are being urged to update immediately.
The vulnerability affects versions 6.4 through 6.8. The patch arrived in version 6.9.
"The update can be done automatically in WordPress, otherwise the user must choose to install it," Bruandet explained. "Installing the plugin will clear the folder where the backdoor is uploaded. But hackers are also infecting some WordPress core files and adding some code to control the site from a Telegram bot."
He said that forcing a WordPress reinstallation from the Updates menu in the app Dashboard should purge such files. ®