Millions of WordPress sites are being attacked after a security flaw was discovered in a popular add-on.
Researchers at security firm Defiant have warned that the File Manager plugin used on thousands of WordPress sites has a zero-day vulnerability that allows hackers to launch opposing attacks on users.
The flaw can allow attackers to upload malicious files to WordPress sites that are not up-to-date with the latest edition of File Manager.
Defiant noted in a blog post that the File Manager plugin is installed on more than 700,000 WordPress websites, estimating that more than a third (37.4%, or about 261,800 websites) still have versions of this add-on installed.
The company, which operates the Wordfence Web Firewall service, says it has recorded attacks on 1.7 million sites since the vulnerability was first exploited, with 11 sites attacked more than 100,000 times.
File Manager developers have created and released a solution for the vulnerability, with users invited to update their software as soon as possible.Given the scope that File Manager allows a user in the wp-admin dashboard, the add-in can provide attackers to all aspects of affected WordPress sites.
Otherwise, attackers can take advantage of the failure to download a symbol record that contains a hidden Internet shell.Once on the victim’s server, attackers can access the Internet shell to take the victim’s site.
The security flaw is provided in 6.0 to 6.8 editions of the Log Manager, so WordPress site owners want to update the add-on to edition 6.9 without delay in the event of any possible attack exploiting the now-corrected vulnerability.
The news comes a few months after a similar critical vulnerability known through Wordfence in a WordPress plugin installed on more than 80,000 websites.The WordPress plugin vulnerability made the first impression with the 7.0.0 edition of wpDiscuz, which brought a feature that allows users to attach photos to comments.
Although the feature is designed to allow only symbol downloads, the registration type verification procedure can be safely bypassed, allowing hackers to download any record from their selection and sow the seed for account control.
Via ZDNet
Sign up for the latest news, reviews, reviews, research and more, as well as generation offers!
Thank you for registering with TechRadar.You will soon receive a verification email.
There’s a problem. Refresh the page and re-consult.
TechRadar is from Future plc, a foreign media organization and a leading virtual editor.Visit our corporate website.