WordPress is the most commonly attacked platform in the world wide web due to its massive user base. Now, the content management system has once again come under the scanner for a vulnerability that can be exploited to take of a WordPress powered website.

The zero-day vulnerability was in the File Manager plugin that has been installed in over 700,000 sites. It lets users manage file transfers, uploads, copy and deletion as an alternative to FTP (file transfer protocol). But its 6.4 version that was released on May 5, 2020, allowed hackers to exploit upload malicious files without authentication.

“A file manager plugin like this would make it possible for an attacker to manipulate or upload any files of their choosing directly from the WordPress dashboard, potentially allowing them to escalate privileges once in the site’s admin area,” said Chloe Chamberland, Director of Information Security at Wordfence, an endpoint firewall provider.

The vulnerability in the 6.4 version was rather a result of carelessness. During the development and testing of a file (connector-minimal.php), it was renamed to connector-minimal.php-dist. But accidentally the file was added to the final version rather than keeping it as a local change.

While it’s unknown how the hackers found the vulnerability, they had to just rename the file to connector-minimal.php to exploit the widespread plugin. So far, hackers have searched for the plugin in millions of websites. If the plugin was installed, hackers could exploit the issue and upload a malicious script (also known as web shell) that would be hidden inside a file. The attacker then can take over the site.

“Looks like there is Zero-Day Vulnerability with WP File Manager. My site got hacked and some of my URLs are redirecting to other pages. I don’t know what they changed and how to fix it. Anyone knows how to fix it?” a user asked in WordPress’ forum.

Ram Gall, a WordPress threat analyst at Defiant, told ZDNet that attacks against the particular vulnerability had risen dramatically over the last few days with the company recording over a million attacks on September 4 alone. Gall said that his company blocked over 1.7 million attacks since September 1 when it was first noticed. But he believes the number of attacks would be much bigger as hundreds of millions of sites use WordPress.

However, the uploader of the plugin has since released an updated version (6.9) fixing the vulnerability. While over 600,000 users have already patched the plugin, many haven’t, leaving their sites vulnerable to such attacks. To eliminate the sluggish nature of updating, the WordPress developer team has recently launched an auto-update option. The feature would automatically update plugins as soon as they are available.

“We take security very seriously, and apologize to our community for any inconvenience or issues that have been caused. We urge users to update to the latest version immediately since it contains a patch for this vulnerability and will keep you protected,” said the plugin’s creator, who goes by mndpsingh287 pseudonym on WordPress forum.

Source: https://www.ibtimes.sg/cybersecurity-wordpress-plugin-bug-allows-hackers-exploit-millions-websites-51237

World news – GB – Cybersecurity: WordPress Plugin Bug Allows Hackers to Exploit Millions of Websites

En s’appuyant sur ses expertises dans les domaines du digital, des technologies et des process , CSS Engineering vous accompagne dans vos chantiers de transformation les plus ambitieux et vous aide à faire émerger de nouvelles idées, de nouvelles offres, de nouveaux modes de collaboration, de nouvelles manières de produire et de vendre.

CSS Engineering s’implique dans les projets de chaque client comme si c’était les siens. Nous croyons qu’une société de conseil devrait être plus que d’un conseiller. Nous nous mettons à la place de nos clients, pour aligner nos incitations à leurs objectifs, et collaborer pour débloquer le plein potentiel de leur entreprise. Cela établit des relations profondes et agréables.

Nos services:

  1. Création des sites web professionnels
  2. Hébergement web haute performance et illimité
  3. Vente et installation des caméras de vidéo surveillance
  4. Vente et installation des système de sécurité et d’alarme
  5. E-Marketing

Toutes nos réalisations ici https://www.css-engineering.com/en/works/


Please enter your comment!
Please enter your name here