Recent Plugin Bug: WordPress Sites Under Probing and Attack


  • WordPress sites being attacked due to the “File Manager” plugin.  
  • Wordfence is taking security measures to alleviate the problems.
  • Wordfence recommendations to avoid such malicious attacks.  

According to reports, thousands of WordPress sites have been attacked yet again, said Defiant – the company behind Wordfence. On Friday, they stated that the attackers exploited “File Manager,” which is a popular WordPress plugin that almost more than 700,000 users are using for their sites.  

It is generally considered as a Zero-day vulnerability where the attacker uploaded malicious files in an older version of the plugin.   

Ram Gall, a representative of Wordfence, stated in a post: “Sites not using this plugin are still being probed by bots looking to identify and exploit vulnerable versions of the File Manager plugin, and we have recorded attacks against 1.7 million sites since the vulnerability was first exploited. Although Wordfence protects well over 3 million WordPress sites, this is still only a portion of the WordPress ecosystem. As such, the true scale of these attacks is larger than what we were able to record,”  

The attacks took the intensity gradually, starting as slow and infrequent. The good news, however, is that the File Manager developers immediately released a patch for the zero-day exploit as long as they got to know about the attack. In this way, they were able to keep some of the sites safe, but still, others could not do the update on time.   

Wordfence wrote in its blog that: “The core of the issue began with the File Manager plugin renaming the extension on the elFinder library’s connector.minimal.php.dist file to .php so it could be executed directly, even though the File Manager itself did not use the connector file. Such libraries often include example files that are not intended to be used “as-is” without adding access controls, and this file had no direct access restrictions, meaning anyone could access the file. This file could be used to initiate an elFinder command and was hooked to the elFinderConnector.class.php file.”  

The hackers are probing different sites, and wherever they find the point of vulnerability, they upload a web shell inside an image file on the user’s server. It gave the hackers access to the website. Gall believes that the true magnitude of vulnerability and attacks is yet unknown, but it is for sure much more extensive than we can see right now.   

Wordfence, in its blog, emphasizes that the users take precautions when installing third-party plugins, as they might expose some critical areas of your WordPress site and can lead to severe problems. A plugin like this can make it easier for hackers to install or upload any file using the dashboard. The most that can happen is the hacker gaining access to the website’s admin area. Therefore, it is highly recommended that the users uninstall any plugins that they are not using, so they do not make intrusion of attackers easier for their websites.

Share this post

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email