19 C
Jaipur
Wednesday, October 28, 2020

700,000 WordPress Sites Affected By Zero-day Vulnerability in File Manager Plugin – LinuxAndUbuntu

Must read

Here’s how many iPhones are may be active in the world

It’s been over 13 years since the Apple iPhone first went on sale and pardon the cliche but it has been a...

Best Tools to Create a Bootable Linux USB Drive

Bootable USB is a USB drive that is used to boot up a computer or laptop for installation on an operating system.Unlike Windows, Linux...

Samsung Galaxy S21 May Ditch Bundled Earphones And Charger Like Apple

A few weeks ago, Apple made headlines after announcing that the iPhone 12 won’t ship with a charger or a pair of earphones. And now it...

China launches crackdown on mobile web browsers, decries ‘chaos’ of information – Latest News

China's top cyber authority said it would carry out a "rectification" of Chinese mobile internet browsers to address what it called social concerns over...


Yesterday a zero-day vulnerability was discovered in a popular WordPress plugin, File Manager. The vulnerability allows arbitrary file upload and remote code execution.

File Manager plugin is a useful plugin that allows users to browse site files in an easy way. The plugin has over 700,000 active installations that make it a desired target for attackers.

Yesterday the vulnerability was discovered by Seravo as part of their WordPress upkeep service. They noticed unusual activity on several of their customers’ websites and further investigation revealed the severe vulnerability in the File Manager plugin.

Zero-day Arbitrary file upload & Remote code execution

The way these vulnerability works is because of execution of connector.minimal.php file. This file loads another file lib/php/elFinderConnector.class.php that can read post/get variables that can execute File Manager features like file uploading.

Since the PHP scripts are allowed to be executed, an attacker can upload unauthenticated arbitrary PHP files and execute them.

Upgrade plugin to version 6.9

The plugin’s team was informed about the vulnerability and they released the patched version 6.9. Any website using wp-file-manager 6.8 or below, upgrade to the version as soon as possible.

The vulnerability is being exploited in the wild. If you are the plugin’s user and have upgraded to the patched version, you should still scan the website for any malicious website that could have been uploaded by a malicious user.

Source link

- Advertisement -

More articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest article

Here’s how many iPhones are may be active in the world

It’s been over 13 years since the Apple iPhone first went on sale and pardon the cliche but it has been a...

Best Tools to Create a Bootable Linux USB Drive

Bootable USB is a USB drive that is used to boot up a computer or laptop for installation on an operating system.Unlike Windows, Linux...

Samsung Galaxy S21 May Ditch Bundled Earphones And Charger Like Apple

A few weeks ago, Apple made headlines after announcing that the iPhone 12 won’t ship with a charger or a pair of earphones. And now it...

China launches crackdown on mobile web browsers, decries ‘chaos’ of information – Latest News

China's top cyber authority said it would carry out a "rectification" of Chinese mobile internet browsers to address what it called social concerns over...

cellphone: Japan unveils plan to prod carriers to cut cellphone charges – Latest News

Japan on Tuesday laid out a plan for reducing consumers' cellphone charges, as the government stepped up its bid to promote competition in the...