Plugin, called WP File Manager, has a 0-day vulnerability that allows attackers to upload files to websites without authorization and execute code remotely on all WordPress instances that have the said plugin installed.
Basically utilizing the vulnerability, attackers can steal data, destroy sites or add their own code to websites, which could mine cryptocurrencies or distribute harmful code to website users' computers.
Both, the basic version of WP File Manager and also the paid-for version, WP File Manager Pro are affected. In total, these plugins have more than 700k active installations globally.
Developers were alerted of the issue and they released a updated version v6.9 that fixes the security problem. It is adviced to update WP File Manager to 6.9 or above - or uninstall it immediately.
More info: Seravo Oy press release
WordPress is by far the most popular publishing platform in the world, with millions of websites using it as their content management system and more.
Written by: Petteri Pyyny @ 2 Sep 2020 10:07