In a WordPress plugin , with more than 700 thousand active installations, A vulnerability that allows arbitrary commands and PHP scripts to run on the server. The issue appears in File Manager releases 6.0 through 6.8 and is fixed in release 6.9.
The File Manager plugin provides file management tools for the WordPress admin using the included library for low-level file manipulation. . The source code of the elFinder library contains files with code examples, which are supplied in the working directory with the ".dist" extension. The vulnerability is caused by the fact that when the library was shipped, the "connector.minimal.php.dist" file was renamed to "connector.minimal.php" and became available for execution when sending external requests. The specified script allows you to perform any operations with files (upload, open, editor, rename, rm, etc.), since its parameters are passed to the run () function of the main plugin, which can be used to replace PHP files in WordPress and run arbitrary code.
The danger is exacerbated by the fact that the vulnerability is already to perform automated attacks, during which an image containing PHP code is uploaded to the βplugins/wp-file-manager/lib/files/β directory using the βuploadβ command, which is then renamed to a PHP script, the name of which is chosen randomly and contains the text "hard" or "x.", such as hardfork.php, hardfind.php, x.php, etc.). Once launched, the PHP code adds a backdoor to the /wp-admin/admin-ajax.php and /wp-includes/user.php files, giving attackers access to the site's admin interface. Operation is carried out by sending a POST request to the file "wp-file-manager/lib/php/connector.minimal.php".
It is noteworthy that after the hack, in addition to leaving the backdoor, changes are made to protect further access to the connector.minimal.php file, which contains the vulnerability, in order to block the possibility of attacks on the server by other attackers.
The first attack attempts were detected on September 1 at 7 am (UTC). IN
12:33 (UTC) File Manager plugin developers have released a patch. According to Wordfence, the company that identified the vulnerability, their firewall blocked about 450 attempts to exploit the vulnerability in a day. Network scanning showed that 52% of sites using this plugin have not yet updated and remain vulnerable. After installing the update, it makes sense to check the http-server log for calls to the "connector.minimal.php" script to determine whether the system has been compromised.
Additionally, a corrective release can be noted which proposed .
Source: opennet.ru