State of New Jersey SealOFFICIAL SITE OF THE STATE OF NEW JERSEY

Vulnerability in WordPress File Manager Plugin

NJCCIC Advisory

Original Release Date: 9/4/2020

Summary

A vulnerability has been discovered in the File Manager plugin that could allow for remote code execution. WordPress is a web-based publishing application implemented in PHP, and the File Manager Plugin allows site Admins to upload, edit, delete files and folders directly from the WordPress backend without having to use FTP. Successful exploitation of this vulnerability could allow for remote code execution in the context of the application. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Application accounts that are configured to have fewer user rights on the system could be less impacted than those that operate with administrative user rights.

Threat Intelligence

On August 25, 2020, a proof of concept (PoC) exploit script was published to a Github repository. In addition, there are reports of these of this vulnerability being actively exploited in the wild

System Affected

  • File Manager versions 6.0 – 6.8.

Risk

Government:

  • Large and medium government entities: High
  • Small government entities: Medium

Businesses:

  • Large and medium government entities: High
    Small government entities: Medium

Home Users: Low

Technical Summary

A vulnerability has been discovered in the File Manager plugin that could allow for remote code execution. This vulnerability exists due to the improper inclusion of an open-source file manager library called elFinder. It appears that the file “connector.minimal.php-dist” was stored in an executable format (renamed to .php) and the file “could be accessed by anyone”. An attacker could exploit this flaw by sending a specially crafted request to the connector.minimal.php file which can lead to remote code execution in the context of the application. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Application accounts that are configured to have fewer user rights on the system could be less impacted than those that operate with administrative user rights.

Recommendations

We recommend the following actions be taken:

  •  Apply appropriate updates provided by File Manager to affected systems, immediately after appropriate testing.
  • Apply the Principle of Least Privilege to all systems and services.
  • Verify no unauthorized system modifications have occurred on system before applying patch.
  • Monitor intrusion detection systems for any signs of anomalous activity.
  • Unless required, limit external network access to affected products.

References

Wordfence
https://www.wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/


Github:
https://github.com/w4fz5uck5/wp-file-manager-0day

Reporting

We encourage recipients who discover signs of malicious cyber activity to contact us via the cyber incident report form by clicking here.

Join & Subscribe

Never miss an update! Sign up for a no cost membership today! Receive up-to-date content and more in our weekly bulletin.

Sign Up

Featured Content

New Jersey Cybersecurity & Communications Integration Cell

2 Schwarzkopf Dr, Ewing Township, NJ 08628

njccic@cyber.nj.gov

OUR COMMITMENT

The NJCCIC is a component organization within the New Jersey Office of Homeland Security and Preparedness. We are the State's one-stop-shop for cyber threat analysis, incident reporting, and information sharing and are committed to making New Jersey more resilient to cyber threats by spreading awareness and promoting the adoption of best practices.

Agency Seals of State of NJ, NJOHSP and NJCCIC

STAY CONNECTED:

View our Privacy Policy here.

View our Site Index here.