The developers of the WordPress File Manager plugin have fixed an actively exploited security factor that allows it to be completely hacked.
According to the Sucuri WordPress security team, the vulnerability made its impression in edition 6.4 of the software, which is used as an option for FTP in managing log transfers, copies, deletions and downloads.
The log manager represents more than 700,000 active installations.
In edition 6.4, released on May 5, a record was renamed in the add-on for progression and testing purposes.However, instead of being retained as a local modification, the renamed record was added to the project.
See also: KingComposer fixes XSS flaw affecting 100,000 WordPress websites
The query record extracted through the third-party dependency elFinder and used as a code reference.An extension added to the registry, the call of connector-minimal.php-dist replaces connector-minimal.php, a small adjustment, but enough to cause a critical vulnerability in the popular add-on.
The ElFinder script, as a log manager, provides users with superior privileges to edit, download, and delete records.Because the formula is user-oriented, to configure the elFinder log manager, simply replace the Arrayphp-dist log extension with Arrayphp, and so the path of attacks has been opened.
While the registry as a reference would possibly have helped the team verify the features locally, the researchers say that leaving such a script, deliberately designed not to verify access permissions, in a public edition causes a “catastrophic vulnerability if that record is left as …it’s in implementation.”
“This substitution allowed any unnaturalized user to directly access this record and execute arbitrary commands in the library, adding download and edit logs, leaving the online page vulnerable to a full acquisition at the end,” Says Sucuri.
The solution, included in edition 6.9, is simple: simply delete the record, which has never been a component of the add-in functions anyway, and other unused Arrayphp-dist records.
CNET: Court of Appeal determines that the collection of NSA mass telephone data was illegal
However, a week before the registry was deleted, a proof-of-concept (PoC) code was published to the GitHub code repository, prompting a wave of attacks on Internet sites prior to the availability of edition 6.9.
Sucuri says the feat temporarily gained ground. The first attack was detected on August 31, a day before the release of a constant edition of the Log Manager, which amounted to about 1,500 attacks consisting of one hour, and a day later, to an average of 2,500 attacks every 60 minutes.On September 2, the team filed some 10,000 attacks in line with the time.
In total, Sucuri followed “hundreds of thousands of requests from malicious actors to exploit it.”
TechRepublic: Companies face about 1,200 phishing attacks per month
Although the vulnerability is already resolved, at the time of writing, only 6.8% of WordPress Internet sites have updated the new corrected edition of the add-on, leaving many Internet sites open to danger.
In July, an XSS vulnerability constant reflected in KingComposer, a WordPress drag-and-drop page building add-on.The error, CVE-2020-15299, caused through an inactive Ajax service, as it can be abused to implement malicious payloads.
Do you have any advice? Securely contact WhatsApp Signal at 447713025499, or more at Keybase: charlie0
Qualcomm brings 5G to PC Always On, Always Connected with the release of Snapdragon 8cx Gen 2
In setting up the paintings of Charlie’s house: the small area of the existing millennium
Fbi warned how Ring Bell-Ring’s surveillance can be used to police officers
Walmart acquires Amazon Prime with reasonable subscription service and fuel offerings
By registering, you agree to the terms of use and knowledge practices defined in the privacy policy.
You’ll get a free subscription to Tech Update Today and ZDNet Announcement.You may opt out of receiving such newsletters at any time.
You agree to get updates, alerts and promotions from the CBS circle of family of companies by adding Today’s Technical Update from ZDNet and the Announcement from ZDNet. You can choose not to participate at any time.