According to Defiant, the company behind the Wordfence web firewall, millions of WordPress sites have been probed and attacked this week as hackers targeted a zero-day vulnerability in the WordPress File Manager plugin installed in over 700,000 WordPress websites.
The File Manager plugin is used to allow website users to upload image files, but a flaw in the plugin's file type checking could allow a user to upload a file with an embedded web shell. Through this, they can seize control of the website and plug it into a botnet.
It is estimated that 37.4% or 261,800 websites are still running vulnerable versions of the plugin.
After learning about the issue, the developer team released a patch for zero-day vulnerability. If a user finds that site’s functionality requires consistent usage of the File Manager plugin, they must update the version to 6.9, which patched the vulnerability.
Some webmasters have installed the patch, while others are yet to follow the suit.
Given the exigency of the flaw (CVSS score of 10.0 – critical risk) and the active exploitation, all plugin users must ensure updating their sites to the latest version.
Whereas, Wordfence has generally advised WordPress admins to uninstall any utility plugins on their sites that remain unused for long. It’s because any bug in these plugins running with admin privileges could lead to serious damages to the site.
If you were hacked, you can also reinstall WordPress from the “Dashboard -> Updates” menu to clean-up the infected core files, and change all admin users and database passwords.
Do the following
- Restore site files from backup and remove 'File Manager Extension'.
- If the backup is not available then manually find all inclusions added and remove those along with the plugin.
Events such as these have led the WordPress developer team to integrate an auto-update feature for plugins and themes.
WordPress 5.5 was released last month, and you can enable it to make sure that you remain safe from attacks.
If you don't know how to fix, you may contact Webplanners and we will arrange for a 'WordPress recovery service'. You can click here to book a call.
If you know a friend or a colleague who is using this plugin on their website, please pass on the information to help keep their websites protected.