Millions of websites vulnerable due to zero-day in WordPress plugin

Millions of websites vulnerable due to zero-day in WordPress plugin

WordPress is under fire after hackers discovered a vulnerability in the popular plugin ‘File Manager.’ Millions of WordPress sites have been probed to find the weakness and exploit it this past week. According to Defiant, the company behind the Wordfence web firewall, the sites attacked could be more than reported.

The sudden rise in attacks started after hackers found out about a zero-day vulnerability in File Manager, installed in more 700,000 sites. The zero-day was an unauthenticated vulnerability in file uploads that allowed the cybercriminals to upload malicious files to sites running an older version of the File Manager plugin.

A sharp spike in attacks

It was not immediately clear how the hackers found the zero-day, but there were thousands of probes for sites that use the plugin since early last week. If the probe revealed this weakness, the hackers would then use the zero-day exploit to upload a web-shell camouflaged behind an image file to the victim’s server. The attackers would then access this shell inside the server and subsequently take over the victim’s site by trapping it inside a botnet.

So far, millions of sites have been probed and attacked where the flaw was found. The threat analyst at Defiant, Tom Gall, said that the attacks against the vulnerability had risen considerably.

A patch is available

At first, the attacks were slow, but word got around, and they spiked throughout last week. Defiant recorded attacks against 1 million WordPress sites in one day, on September 4, Friday.

Gall said that they blocked attacks aimed at 1.7 million sites since September 1, when it was discovered that the attacks were happening.

The File Manager developer team has since created and released a patch for the flaw. They released it the same day they learned that their plugin was being used to attack sites. Some site owners have installed the patch, but others have not. If you are using the plugin, update immediatly.