12 Oct, 2020

WordPress File Manager Vulnerability Threatens Website Security

A critical vulnerability in WordPress File Manager was recently discovered and fixed. Here's how this vulnerability threatens website security and how you can stay protected.
A critical vulnerability in a popular WordPress plugin was discovered and fixed as of September 1, 2020. A huge number of installations haven't installed the patch for it, and it's being heavily exploited to compromise website security. An attacker who finds a vulnerable site can easily take control of it and change anything or everything.

The plugin is called File Manager or, more formally, wp-file-manager. The first public mention of the vulnerability was on August 26, and exploits started to appear before the patch was available. If your website has a version from before September 2020, it's dangerously vulnerable, and you should update it right away.

Granted, keeping track of every plugin is hard. There's a window of vulnerability until you can bring them up to date. That's why you should have Quttera ThreatSign Website Security. It will protect you against many attacks on your site, even before a public announcement and a patch are available.
The File Manager Vulnerability
The wp-file-manager plugin has over 600,000 active installations. It offers site managers a convenient way to upload, download, edit, and delete files from within WordPress. The plugin provides an easy way to bring files directly into the Media Library. Using an FTP client becomes unnecessary. It also handles archiving files to Zip, Tar, and Gzip formats.

It's very convenient to manage files from within WordPress rather than bringing up a separate piece of software every time the administrator needs to make changes. The software had better be secure, though. A stranger who takes control of that functionality can do unlimited damage.

That is why the vulnerability, known as CVE-2020-25213, is considered critical. It lets intruders take control of those capabilities without needing any credentials.

Here's a short technical look at how it works. The plugin uses a popular open-source library, elFinder, for its low-level file management functionality. The distribution includes an example file called connector.php.minimal.dist. It was intended only as example code, not for use in live systems. Code for live use needs to include authorization checks and other security features, which the example file doesn't have.

Unfortunately, the instructions say to rename the file, giving it a .php extension. This was intended only for testing purposes, but someone must have misunderstood, and File Manager was distributed with the connector renamed. Anyone knowing the path to it could run it remotely. No authentication is required. The error leaves the website wide open for putting files on it or planting malware.

Here is a formal description of the vulnerability, with a link to a Python script that you can use to check if your site is at risk.
The Effect of the Vulnerability
This situation is an example of a remote code execution vulnerability. Malware detection by itself won't find it, since intruders can take advantage of it without placing any additional code on the server. They can also take advantage of it to upload and run malicious scripts. One bit of good news is that elFinder has directory traversal protection, so it can't be used to attack the entire server, just the WordPress directory.

The uploaded scripts can do just about anything to the site, including:

  • Altering the visible content. A script could inject ads, remove information, or add defamatory statements.
  • Altering hidden content. Hidden JavaScript can siphon information to the intruder's server.
  • Accessing the database. It's possible to extract sensitive information or alter data.
  • Running background processes. A cryptomining script could use the server's processing power to mine cryptocurrency while slowing the website down.
  • Stealing information such as passwords, credit card numbers, and other information that the user types in.
Exploitation of the Vulnerability
The vulnerability has been known for barely a month as of this writing, but it has already been heavily exploited. During our periodic audit of our customers' WAF logs, we found that 1.5% of all the inspected attacks targeted the CVE-2020-25213 vulnerability. The number of vulnerable sites at the start of September was over 700,000. The majority of these sites are still vulnerable.
The first attacks were discovered on August 31, before the patch was available.
Over 100 locations around the world have been bases for malicious requests exploiting the weakness. They are based in these countries:

  • United States (51.48%)
  • Canada (7.92%)
  • France (7.92%)
  • Vietnam (6.93%)
  • Germany (3.96%)
  • Russian Federation (3.96%)
  • Egypt (2.97%)
  • European Union, unspecified country (1.98%)
  • Philippines (1.98%)
  • Poland (1.98%)
  • Turkey (1.98%)
  • India (0.99%)
  • Indonesia (0.99%)
  • Italy (0.99%)
  • Netherlands (0.99%)
  • Republic of Korea (0.99%)
  • Romania (0.99%)
  • United Kingdom (0.99%)
The most common attack uploads files called admin.php, kiri.php, x.php, or xa.php. It uses these files to take full control of the website.
Other attack bases will certainly appear over time.
Protection Against the Vulnerability
The surest protection is to bring File Manager up to date. Version 6.9, released on September 1, 2020, removes the vulnerability. Updating it will protect your site against future attacks, but it won't undo any existing infections. If you had a vulnerable version of wp-file-manager on your site, you need to check if malware removal is now necessary.

Keeping up with software security patches is difficult. There is always a window of vulnerability between the discovery of a weakness and the release of a fix. Software updates sometimes cause conflicts and break websites, so a site needs to be tested after any changes. It may have to be rolled back.

Patching software by itself isn't enough. Weaknesses that can't be patched yet present a risk, and protection against them is important. ThreatSign Website Security guards your site against malicious requests, even ones not associated with published vulnerabilities. It recognizes and blocks common types of intrusions, such as remote code execution and surreptitious uploads. Your site will have ongoing protection against both known and unknown threats. Quttera WAF provides additional protection against weakness exploitation with the virtual patching, also known as external patching or just-in-time patching.

ThreatSign monitors your site and discovers any malware infections. It then removes them, and if they've gotten your site blacklisted, ThreatSign will help to get it green-lighted again.
With ThreatSign protection, your users will have a better experience, and your IT department won't have to spend as much time-fighting hacking attempts and malware.