A critical vulnerability present in the WordPress plugin File Manager, which is in common use to manage WordPress sites, is being actively attacked globally. To protect against the attack, it is essential to update the plugin to the latest version 6.9 that contains the patch (released Sept 1 2020).  Alternately, disable or remove the plugin until it is updated.  WordPress sites that do not have the plugin enabled are not affected. 

Severity level 

CVSS Score: 10.00 (Critical) 

Description:- 

The vulnerability, which currently does not have a CVE assigned to it, is a remote code execution flaw with a CVSSv3 score of 10.0.  According to Wordfence researchers, the flaw exists due to the improper inclusion of an open-source file manager library called elFinder.  It appears that the file connector.minimal.php-dist was stored in an executable format (renamed to .php) and the file “could be accessed by anyone” in order to execute commands via a function in elFinderConnector.class.php. 

Affected Versions 

6.0 - 6.8 

Impact 

This vulnerability allow unauthenticated users to execute commands and upload malicious files on a target site. 

Resolution 

Upgrade to version 6.9 immediately, remove or disable the plugin. 

Reference 

https://www.wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/ 

https://www.tenable.com/blog/critical-vulnerability-in-file-manager-wordpress-plugin-exploited-in-the-wild