Skip to main content

Millions of WordPress sites targeted using major security flaw

(Image credit: Pixabay)

Millions of WordPress sites are facing attack following the discovery of a security flaw in a popular plugin.

Researchers at security firm Defiant have warned that the File Manager plugin used by hundreds of thousands of WordPress sites has a zero-day vulnerability allowing hackers to launch attacks on users.

The flaw could allow attackers to upload malicious files onto WordPress sites that have not updated to the latest version of File Manager.

WordPress zero-day

Defiant noted in a blog post that the File Manager plugin is installed on over 700,000 WordPress websites, with the company estimating that over a third (37.4%, or around 261,800 websites) still have vulnerable versions of this plugin installed.

The company, which operates the web firewall service Wordfence, says it has recorded attacks against 1.7 million sites since the vulnerability was first exploited, with 11 sites being targeted more than 100,000 times.

The developers of File Manager have created and released a patch for the vulnerability, with users urged to update their software as soon as possible. Given the reach that File Manager allows a user on the wp-admin dashboard, the plugin could present attackers with access to all facets of affected WordPress sites.

If not, attackers could exploit the flaw to upload an image file that had a web shell hidden inside. Once on the victim's server, the attackers could then access the web shell to take over the victim's site.

The security flaw is present in File Manager versions 6.0 to 6.8, so WordPress site owners should update the plugin to version 6.9 immediately to avoid to any potential attacks that exploit the now patched vulnerability.

The news comes a few months after a similar critical vulnerability was identified by Wordfence in a WordPress plugin installed across more than 80,000 websites. The WordPress plugin vulnerability first surfaced with wpDiscuz version 7.0.0, which introduced a facility that allows users to attach images to comments.

Although the feature was intended to allow for image uploads only, the file type verification process could be easily circumvented, allowing hackers to upload any file of their choosing and sow the seed for account takeover.

Via ZDNet