WordPress security flaw puts thousands of websites at risk

WordPress security flaw

WordPress users who use File Manager and haven’t already updated to the latest version (6.9) are advised to do so as quickly as possible. According to an Ars Technica report, hackers are exploiting a vulnerability in the plugin that lets them execute malicious scripts and other commands on behalf of the admins. The WordPress security flaw allows them to upload files that contain webshells hidden in images, and, from here, they can run scripts in the directory of the plugin: plugins/wp-file-manager/lib/files/.

Who was targeted by the attack?

This WordPress security flaw is particularly dangerous because the File Manager plugin is one of the most popular ones on the platform. It’s currently installed on over 700,000 websites, helping admins edit, delete, upload, download, copy, and paste files from the WP backend. According to a website security firm, more than 450,000 exploits were blocked in the past few days alone, but it’s still too early to estimate the full impact of the attack. Still, with so many websites being affected, the potential for damage is considerably high. Because of the security flaw, hackers can manipulate or upload files straight from the WP dashboard, and even obtain more privileges once they get in the admin area.

The flaw was found on File Manager versions 6.0 to 6.8, but, fortunately, the developers were quick to release version 6.9, which fixed the problem.

How do you know if your website was affected?

If you use File Manager and you’re worried that your website might have been affected by the WordPress security flaw, the first thing you should do is check what version of the plugin you have. If you haven’t updated to the latest version (6.9) yet, then you should update as soon as possible, even if you haven’t noticed any signs of malicious activity yet. For extra safety, you can also run a web application firewall to make sure your WordPress website is safe from any vulnerabilities that haven’t been addressed yet.

The incidence of WordPress cyberattacks is getting higher.

WordPress is the most popular CMS platform in the word, and it’s used by over 75 million people, so it doesn’t come as a surprise that it’s one of hackers’ favorite targets. According to the latest statistics, WordPress alone powers 35% of the Internet in 2020, and 661 new WP websites appear every day. Although WordPress invests heavily in security, the problem comes from its many plugins: more than 50,000 plugins are available in the CMS, so there’s always a strong possibility that hackers find an exploit a security flaw. In May alone, security experts detected a 30-fold increase in the number of WP attacks, and nearly 1 million websites were affected. Just like in the case of File Manager, the security flaw also came from plugin vulnerabilities, and webmasters were warned that they need to update as soon as possible to avoid damages.