Zero-Day Vulnerability Found in WordPress' File Manager Plugin Actively Exploited

Summary

Threat actors are actively exploiting a zero-day vulnerability affecting a WordPress plugin. The flaw resides in File Manager, a plugin designed to help WordPress administrators manage files on their websites. Active attacks are executed by deploying a command to upload PHP files containing webshells hidden within an image to the elFinder library. This may allow an attacker to perform remote code execution, manipulate or execute additional files, and escalate privileges. A patch was released September 1, 2020, and an additional firewall rule was released to premium customers, while users running the free version are set to receive the rule October 1, 2020. At this time, an estimated 700,000 WordPress users are affected by this vulnerability.

Recommendations

The NJCCIC recommends users of the File Manager plugin update to version 6.9 immediately and disable the plugin when not in use. Additionally, we recommend users apply the Principle of Least Privilege to all systems and services and monitor intrusion detection logs for indicators of compromise (IOCs). Technical details and IOCs can be found in the Wordfence blog post.