The popular WordPress plugin File Manager has a serious vulnerability allowing an unauthenticated user to run the file manager commands by directly accessing an unprotected file from its elFinder package. File Manager is a plugin used by WordPress administrators to help manage files on their WP sites.
More than 700,000 Wordpress websites use the File Manager plugin and currently 52% of them are vulnerable to attack.
All versions of the File Manager plugin ranging from 6.0 to 6.8 are affected and are prone to backdooring, which is potentially more than 350,000 installations that use these versions of the plugin. The patched version 6.9, which was released on 1st September, fixes the vulnerability and the installations using it are not prone to exploits.
Attacks which are taking advantage of the existing vulnerability are ongoing. The most common tactic blackhat hackers use is to publish a manuscript entitled hardfork.php and afterwards use it to upload malicious scripts and code right into the WordPress manuscripts /wp-admin/admin-ajax.php as well as /wp-includes/user.php.
Some attackers are even password-protecting the vulnerable file in order to prevent other attackers from exploiting already infected sites. This means that it is highly likely they plan to return to the site and deal more serious damage. While some hackers used the vulnerability to upload malicious scripts, in other cases the injected files are empty, which suggests that there are attackers who are currently just probing the vulnerability.
We highly recommend that you update to version 6.9 asap. We also advise that you uninstall such utility plugins, as they introduce a huge security risk and are usually not essential for the website. Also, make sure that you always update your installation and plugins in a timely manner.
The popular security plugin Wordfence is already blocking thousands of these attempts for their premium users. In their own post, Wordfence said they had blocked more than 450,000 exploit attempts in the past few days.