• Monday, August 31, 2020

UPDATED 2.9.2020: A new vulnerability has been discovered in the File Manager plugin: File Manager < 6.9 - Arbitrary File Upload leading to RCE.

This is a very serious zero-day vulnerability, meaning it is being actively exploited on active installations.

Please share this information as widely as possible; any users of this plugin should check their WordPress sites immediately!

This issue is critical for two reasons:

  1. The vulnerability is very serious, potentially allowing a user to upload malware to a WP site
  2. This is a 'zero-day' vulnerabilty, meaning the issue was known about, out in the wild, prior to the author publishing a fix. A patch has since become available.

The latest, known safe version of File Manager is 6.9. However, if you did have an earlier version installed and have just updated, you should check your site for any sign of compromise. WP NET customers should open a ticket.

This comes less than a month after the last vulnerability was discovered:

  • 2020-09-01 File Manager < 6.9 - Arbitrary File Upload leading to RCE - fixed in version 6.9
  • 2020-08-10 File Manager < 6.5 - Backup File Directory Listing - fixed in version 6.5

If you, or anyone you know uses this plugin: Please update your site immediately and check the references at the end of this article for further information. Detail may change as this develops, so we are linking to resources that will be tracking this closely.

How do I know if my site is hacked?

There's a few variants, but the first thing to check is if you have any of these files present:

  • /wp-content/plugins/wp-file-manager/lib/files/hardfork.php
  • /wp-content/plugins/wp-file-manager/lib/files/hardfind.php
  • /wp-content/plugins/wp-file-manager/lib/files/x.php

Please check the references at the end of this article for more details.


WP NET Managed WordPress MWP customers

All WP NET Managed WordPress sites have been updated automatically. We are also conducting additional scans and searches on ALL servers for any instances of the plugin, or signs of compromise.

WP NET Support will also check all un-managed staging and dev sites for any instances of the plugin, or signs of compromise.

If you do spot any unusual activity or have any questions, please open a support ticket.

WP NET Managed Server customers

WP NET Managed Servers are the most likely place where vulnerable instances may remain. This is because many customers self-manage (or have 3rd party support for) their WP site(s), therefore WP NET support does not actively monitor these sites.

However, due to the severity if this issue, we are now conducting full scans of ALL Managed Servers. We will contact customers directly if we identify any issues.

If you manage sites on WP NET Managed Servers and know of instances of WP File Manager, please check those sites and contact WP NET Support if you have any questions.

References:


This continues from the earlier vulnerability: File Manager < 6.5 - Backup File Directory Listing -- fixed in version 6.5

All Managed WordPress site have been updated.