May 12, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Alert – Trickbot IOCs
September 17, 2020Rewterz Threat Alert – Malware Leveraging XML-RPC Vulnerability to Exploit WordPress Sites
September 17, 2020Rewterz Threat Alert – Trickbot IOCs
September 17, 2020Rewterz Threat Alert – Malware Leveraging XML-RPC Vulnerability to Exploit WordPress Sites
September 17, 2020
Severity
High
Analysis Summary
A Zero-Day Vulnerability is reported in File Manager Plugin for WordPress, a plugin with more than 700,000 active installations; out of which 52% are affected. This vulnerability is being actively exploited. This vulnerability allowed unauthenticated users to execute commands and upload malicious files on a target site. File Manager is a plugin designed to help WordPress administrators manage files on their sites. The plugin contains an additional library, elFinder, which is an open-source file manager designed to create a simple file management interface and provides the core functionality behind the file manager. The File Manager plugin used this library in a way that introduced a vulnerability. The core of the issue began with the File Manager plugin renaming the extension on the elFinder library’s connector.minimal.php.dist file to .php so it could be executed directly, even though the connector file was not used by the File Manager itself. Such libraries often include example files that are not intended to be used “as-is” without adding access controls, and this file had no direct access restrictions, meaning the file could be accessed by anyone. This file could be used to initiate an elFinder command and was hooked to the elFinderConnector.class.php file.The attacks we are seeing in the wild are using the upload command to upload PHP files containing webshells hidden in an image to the wp-content/plugins/wp-file-manager/lib/files/ directory.
Impact
- Remote Code Execution
- Website Takeover
Affected Products
WordPress File Manager Plugins 6.0 – 6.8
Indicators of Compromise
Filename
- hardfork[.]php
- hardfind[.]php
- x[.]php
Source IP
- 185[.]222[.]57[.]183
- 185[.]81[.]157[.]132
- 185[.]81[.]157[.]112
- 185[.]222[.]57[.]93
- 185[.]81[.]157[.]177
- 185[.]81[.]157[.]133
Remediation
- Block the threat indicators at their respective controls.
- Update WordPress File Manager Plugin to version 6.9.
- Look for these file names in the /wp-content/plugins/wp-file-manager/lib/files directory of your site.
