File Manager WordPress Plugin Zero-Day Vulnerability Risked Thousands Of Websites

A new zero-day vulnerability was founded by Wordfence in a WordPress plugin. The vulnerability existed in the file manager plugin and allows unauthenticated attackers to execute arbitrary code on a WordPress site. WordPress is a popular website building website and is used by millions of users worldwide. The vulnerability has affected 70,000 active users of WordPress. 

The presence of vulnerability was reported to the authorities on the morning of 1st September and a patch was developed the same morning. The users were advised to install the latest version (6.9) launched, which contains the patch to the threat and protection against it. 

Wordfence is itself a plugin for WordPress. It claims that it’s premium users and free users are protected from the vulnerability by the Wordfence firewall’s built-in file upload protection, which needs regular optimization. The premium users will be able to access it from 1st September 2020 while the free users will get it one month later, on 1st October 2020. 

The Vulnerability

The vulnerability has been discovered in the file manager plugin. The file manager plugin’s primary function is that it helps the WordPress administrators manage their files on their sites. The elFinder is an open-source file manager contained as an additional library inside the plugin. It is designed to create a simple file management interface and provide core functionality behind the file manager. The way the file manager uses this library has led to the discussed vulnerability. 

The file manager recently changed the extension on the elFinder’s library from connector.minimal.php.dist  to .php to execute it directly. The problem started with this change as these libraries contain some files that are not to be used as-is, and these had no direct access restrictions. This indicates that anybody could access these files. It could be used to initiate the elFinder command and could be hooked to an elFinder file. Any parameters sent in request in the hooked file can be run in the connector file. This makes the files vulnerable but not the files outside the plugin directory. The built-in protection feature against directory traversal ensures this. 

Mitigation 

The team at Wordfence created an additional Firewall Rule to deal with the issue since it was possible to send a specially crafted request to create an empty PHP file. The attacker then gets access to send requests to save malicious code to the file. There were some additional threats, so the company created an additional firewall to patch all of them.

The connector file added was also removed in the patched version to ensure no exploitation of this vulnerability without impacting standard functionality. 

Extent of the Problem 

The blog elaborately explained how such a vulnerability in file manager plugin could be dangerous. It could allow the attacker to manipulate or upload any file of their choice directly from the WordPress dashboard and unlock privileges once the admin area is accessed. The company advised the users to uninstall such plugins when not in use to prevent any intrusion by the attackers. 

The data released by the company reveals that the firewall has blocked 450,000 of exploit attempts where the attacker attempts to inject random files. Mostly files starting with ‘hard’ or ‘x’ were observed to be used by exploiters. The attackers might have probed the vulnerability by injecting empty files and, on successful injection, injected malicious file to carry out the attack successfully. 

The company shared the names of the following files mostly used for the malicious attack:

• hardfork.php
• hardfind.php
• x.php

The company also shared the list of IP addresses that were seen used for the attack:

• 185.222.57.183
• 185.81.157.132
• 185.81.157.112
• 185.222.57.93
• 185.81.157.177
• 185.81.157.133

The vulnerability was discovered by Gonzalo Cruz from Arsys, who noticed an offending IP address attempting to upload PHP files to their sites. He presented the vulnerability to the authorities with a working model, after which the team responded with a patched updated version the same morning. 

The vulnerability is still being exploited wildly. The team has advised the users to stay alert and update their plugins to the latest versions as soon as possible. 

Do you like this article? Follow TheHackReport on Facebook, Twitter and LinkedIn to read more exclusive content we post.