×
Why CIS Solutions Join CIS Resources
CIS WorkBench Sign-in CIS WorkBench Sign In CIS Hardened Images CIS Hardened Images Support CIS Support


Why CIS

Who We Are

CIS is an independent, nonprofit organization with a mission to create confidence in the connected world



About Us Leadership Principles Testimonials

Solutions

secure your organization
Secure Your Organization


secure specific platforms
Secure Specific Platforms


cis securesuite CIS SecureSuite® Learn More      Apply Now  
u s state local tribal and territorial governments
U.S. State, Local, Tribal & Territorial Governments


View All Products & Services  

Join CIS

Get Involved

Join CIS as a member, partner, or volunteer - or explore our career opportunities



CIS SecureSuite® Membership Multi-State ISAC (MS-ISAC®) Elections Infrastructure ISAC (EI-ISAC®) CIS CyberMarket® Vendors CIS Communities Careers

Resources

resources
Resources


learn
Learn


filter by topic
Filter by Topic


View All Resources  
CIS Logo Show Search Expand Menu

A Vulnerability in WordPress File Manager Plugin Could Allow for Remote Code Execution

MS-ISAC ADVISORY NUMBER:

2020-123

DATE(S) ISSUED:

09/04/2020

OVERVIEW:

A vulnerability has been discovered in the File Manager plugin that could allow for remote code execution. WordPress is a web-based publishing application implemented in PHP, and the File Manager Plugin allows site Admins to upload, edit, delete files and folders directly from the WordPress backend without having to use FTP. Successful exploitation of this vulnerability could allow for remote code execution in the context of the application. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Application accounts that are configured to have fewer user rights on the system could be less impacted than those that operate with administrative user rights.

THREAT INTELLIGENCE:

On August 25th, A proof of concept (PoC) exploit script was published to a Github repository. In addition, there are reports of these of this vulnerability being actively exploited in the wild.

SYSTEMS AFFECTED:

  • File Manager versions 6.0 – 6.8

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: MEDIUM
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: MEDIUM
Home Users:
LOW

TECHNICAL SUMMARY:

A vulnerability has been discovered in the File Manager plugin that could allow for remote code execution. This vulnerability exists due to the improper inclusion of an open-source file manager library called elFinder. It appears that the file “connector.minimal.php-dist” was stored in an executable format (renamed to .php) and the file “could be accessed by anyone”. An attacker could exploit this flaw by sending a specially crafted request to the connector.minimal.php file which can lead to remote code execution in the context of the application. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Application accounts that are configured to have fewer user rights on the system could be less impacted than those that operate with administrative user rights.

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate updates provided by File Manager to affected systems, immediately after appropriate testing.
  • Apply the Principle of Least Privilege to all systems and services.
  • Verify no unauthorized system modifications have occurred on system before applying patch.
  • Monitor intrusion detection systems for any signs of anomalous activity.
  • Unless required, limit external network access to affected products.

REFERENCES:

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories

Information Hub : Advisories


CONTROL: 1 --- ADVISORY CONTROL: 0
CONTROL: 2 --- ADVISORY CONTROL: 0
CONTROL: 3 --- ADVISORY CONTROL: 0
CONTROL: 4 --- ADVISORY CONTROL: 0