A Vulnerability in WordPress File Manager Plugin Could Allow for Remote Code Execution

MS-ISAC ADVISORY NUMBER:

2020-123

DATE(S) ISSUED:

09/04/2020

OVERVIEW:

A vulnerability has been discovered in the File Manager plugin that could allow for remote code execution. WordPress is a web-based publishing application implemented in PHP, and the File Manager Plugin allows site Admins to upload, edit, delete files and folders directly from the WordPress backend without having to use FTP. Successful exploitation of this vulnerability could allow for remote code execution in the context of the application. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Application accounts that are configured to have fewer user rights on the system could be less impacted than those that operate with administrative user rights.

THREAT INTELLIGENCE:

On August 25th, A proof of concept (PoC) exploit script was published to a Github repository. In addition, there are reports of these of this vulnerability being actively exploited in the wild.

SYSTEMS AFFECTED:

  • File Manager versions 6.0 – 6.8

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: MEDIUM
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: MEDIUM
Home Users:
LOW

TECHNICAL SUMMARY:

A vulnerability has been discovered in the File Manager plugin that could allow for remote code execution. This vulnerability exists due to the improper inclusion of an open-source file manager library called elFinder. It appears that the file “connector.minimal.php-dist” was stored in an executable format (renamed to .php) and the file “could be accessed by anyone”. An attacker could exploit this flaw by sending a specially crafted request to the connector.minimal.php file which can lead to remote code execution in the context of the application. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Application accounts that are configured to have fewer user rights on the system could be less impacted than those that operate with administrative user rights.

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate updates provided by File Manager to affected systems, immediately after appropriate testing.
  • Apply the Principle of Least Privilege to all systems and services.
  • Verify no unauthorized system modifications have occurred on system before applying patch.
  • Monitor intrusion detection systems for any signs of anomalous activity.
  • Unless required, limit external network access to affected products.

REFERENCES:

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories

Related Resources



Arrow CIS Control 3: Continuous Vulnerability Assessment and Remediation

Information Hub : Advisories


CONTROL: 1 --- ADVISORY CONTROL: 0
CONTROL: 2 --- ADVISORY CONTROL: 0

Pencil Blog post 03 Dec 2020
CONTROL: 3 --- ADVISORY CONTROL: 0
CONTROL: 4 --- ADVISORY CONTROL: 0