Critical zero-day vulnerability found in 350,000+ WordPress installations
The popular and widely downloaded File Manager plugin for WordPress was identified to have a serious vulnerability back in 2020.
This security breach essentially allowed unauthenticated users to run file manager commands by directly accessing an unprotected file from the plugin’s ‘elFinder’ package.
The file manager plugin in itself is a tool used by WordPress site administrators and owners to help with file management on their systems.
700,000 Wordpress websites used the File Manager plugin. 52% of them were vulnerable
This security breach wasn’t only on a couple of versions of the plugin. As a matter of fact, it affected all plugin versions from 6.0 to 6.8, making File Manager prone to backdoor access by hackers and to other cyberattacks.
The estimated number of affected WordPress installations was around 350 000, above half of the total number of hosted WordPress websites at the time of the exploit’s discovery.
The patched version - 6.9, was released on September 1st 2020, fixing all of the vulnerability issues and patching the installations, making them secure.
Types of exploits for the outdated WP File Manager plugin
However, WP websites that didn’t update to the 6.9 version of File Manager, continued to be a target for hackers. The most common tactics that was utilized by malicious hackers was to first publish a manuscript entitled hardfork.php using the exploit and then utilize that script to upload malicious code right into the default WordPress manuscripts, which could be found at the /wp-admin/admin-ajax.php and /wp-includes/user.php directories.
Some hackers even went as far as password-protecting the vulnerable file, preventing others from already exploiting the infected sites. What this suggested was that the initial hackers, who broke in through the security, were planning to come back and deal extra damage.
There were also those hackers who were just testing the limitations of the system and the exploit rather than wanting to do wrong. These individuals just injected empty files into the WP installation to understand how the vulnerability happened and whether access could be prevented.
All of this made it necessary for users to update to the patched 6.9 version as soon as possible in order to avoid their websites being exploited as well.
Plugins that helped reduce the damage
One WP plugin that was able to help mitigate the impact and even prevent any damage was Wordfence. They mentioned having blocked more than 450 000 total exploit attempts over the period of time when the exploit was initially discovered.
The aftermath of the WP vulnerability
This particular case made it clear that such utility plugins could be an unforeseen backdoor and should be installed and monitored with caution. It also showed the importance of keeping your system and its files up to date and how that can affect your privacy and security.
If you would like to never have to worry about becoming a target when such an exploit is discovered, you can consider using our shared hosting services. With them, you will always be protected from malicious script uploads by our Imunify360 defense, which is included in every plan for free!