A Vulnerability in WordPress File Manager Plugin Could Allow for Remote Code Execution

ITS Advisory Number: 
2020-123
Date(s) Issued: 
Friday, September 4, 2020
Subject: 
A Vulnerability in WordPress File Manager Plugin Could Allow for Remote Code Execution
Overview: 

A vulnerability has been discovered in the File Manager plugin that could allow for remote code execution. WordPress is a web-based publishing application implemented in PHP, and the File Manager Plugin allows site Admins to upload, edit, delete files and folders directly from the WordPress backend without having to use FTP. Successful exploitation of this vulnerability could allow for remote code execution in the context of the application. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Application accounts that are configured to have fewer user rights on the system could be less impacted than those that operate with administrative user rights.

 

THREAT INTELLIGENCE:

On August 25th, A proof of concept (PoC) exploit script was published to a Github repository. In addition, there are reports of these of this vulnerability being actively exploited in the wild.

Systems Affected: 
  • File Manager versions 6.0 - 6.8
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
Medium
BUSINESS
Large and medium business entities: 
High
Small business entities: 
Medium
Home Users: 
Low
Description: 

A vulnerability has been discovered in the File Manager plugin that could allow for remote code execution. This vulnerability exists due to the improper inclusion of an open-source file manager library called elFinder. It appears that the file "connector.minimal.php-dist" was stored in an executable format (renamed to .php) and the file "could be accessed by anyone". An attacker could exploit this flaw by sending a specially crafted request to the connector.minimal.php file which can lead to remote code execution in the context of the application. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Application accounts that are configured to have fewer user rights on the system could be less impacted than those that operate with administrative user rights.

Actions: 
  • Verify no unauthorized system modifications have occurred on system before applying patch.
  • After appropriate testing, immediately apply appropriate updates provided by File Manager to affected systems.
  • Apply the Principle of Least Privilege to all systems and services.
  • Monitor intrusion detection systems for any signs of anomalous activity.
  • Unless required, limit external network access to affected products.