Home Cyber Security WordPress FTP file renaming vulnerability saw 10,000 hacks in an hour!

WordPress FTP file renaming vulnerability saw 10,000 hacks in an hour!

WordPress
WordPress

After the recent outrages of the users on WordPress 5.5 site crash and also a bug in the File Manager plugin, the developers of the platform were quite quick in developing a patch for the same. The developers have reportedly patched an actively-exploited security issue permitting full website hijacking. As per the Sucuri WordPress security team, a possible issue was created in version 6.4 of the software. This version can be used by the users as an alternative to FTP. File Manager plugin is used to manage file transfers, copying, deletion, and uploads in WordPress.

Around 700,000 users have installed the File Manager plugin. The 6.4 version of the plugin was released on May 5. In the new version, a file was renamed in the plugin for development and testing purposes. This file was only for the testing purposes but somehow the file was released with the official version and was added for the users. This file was the main issue in the FTP bug. ElFinder’s script provides the users with advanced privileges for modifying, uploading and deleting files. As per the researchers, this can cause a lot of disturbance in the system.

Due to this bug, any user can access the file without any special permission from anyone. They can perform a set of actions like executing arbitrary commands to the library, uploading and modifying files. This will ultimately leave the website vulnerable to a complete takeover. The solution of the bug was included in the new version of 6.9. The developers have simply deleted the file. Before the update, many of the attacks were launched through vulnerability.

The first attack was done on 31st August. After the attack, a fixed version of the file manager was released. Around 1500 attacks were per hour. The statistics of the attack went up to an average of 2,5000 attacks every 60 minutes. 10,000 attacks per hour were recorded by September 2.