Get your FREE copy of "The Ultimate Guide of SSL"

Download Ebook

Millions of Websites Affected By WP File Manager Plugin Vulnerability

Update WordPress File Manager Plugin With the Latest Version – Its Vulnerability Can Affect 700K Sites

Recently a few months earlier, in September 2020, the WordPress File Manager plugin has patched and actively exploits a vulnerability that permits full website hijacking.

According to the report of Sucuri, the WordPress security team, the vulnerability has emerged in version 6.4 of the software, which is used for managing file transfers, deletion, copying, and uploads as an alternative instead of FTP.

wordpress file manager
File Manager has more than 700K active installations, which means all those who haven’t updated the plugin yet are vulnerable to this vulnerability.

Here Are the Technical Details of Vulnerability

File Manager Version 6.4 was released on May 5, in that one file was renamed in the plugin during the development and testing phase. Instead of keeping it for only local change, that renamed file was accidentally added to the live project, and the same got published in the newer version 6.4.

However, that file got noticed and pulled by third-party dependency elFinder, an open-source file manager, and it was used as a code reference. An extension was added to the file with a little tweak of renaming the connector-minimal.php-dist to connector-minimal.php, which was more than enough to trigger a severe vulnerability in this popular File Manager WordPress plugin.

wp vulnerability 700K
Though making use of this file for reference may have helped the team to test features locally. Still, the researchers also said that designing such a script intentionally for not checking access permission and keeping it open may become a catastrophic vulnerability if the file is left unchanged during deployment.

Further, this change allowed unauthenticated users to directly access the file and execute arbitrary commands like uploading or deleting the file, ultimately leaving the website vulnerable to an attack that can completely take it over.

What’s an elFinder?

An open-source package, elFinder, is a file manager for the web, and according to its packagist page, it has been installed more than 2M times, making it one of the popular packages.

Further, being a file manager, anyone can access its features that provide privileges on the site that can modify, upload, or delete files. But, it’s also aimed for easy setup and use. Though, for that, you’ll require to rename one file according to their installation instructions that you can get from GitHub.

wp vulnerability 700k install
It makes it easy for testing purposes on your localhost and helps you develop features for the product without messing with the surrounding environment like WordPress. Still, it can become catastrophic vulnerability if the file is left as-is during the deployment phase. As it’s a minimal file that’s needed for running the project, it doesn’t carry permission to check and an overall safety mechanism that’s needed for surrounding its use.

And, a similar thing happened in the case of File Manager. The renamed file left as it’s on the release of version 6.4 that caused this massive vulnerability. While further analysis of this vulnerability also showed that it was possible for bypassing the built-in file upload protection.

The Core Issue Was Due to the Renaming of the Extension on the elFinder

The core issue for this vulnerability was the file renaming on the library named connector.minimal.php.dist file to .php that can be executed directly, even though the File Manager itself didn’t use the connector file. Usually, these libraries include example files that aren’t intended for the “as it is” used without adding any access controls. This file didn’t have any access restrictions that means it was accessible to everyone.

And further, this file could be used for initiating the elFinder command, which was hooked to the elFinderConnector.class.php file.

149 // run elFinder

150 $connector = new elFinderConnector(new elFinder($opts));

151 $connector->run();

Exploit Because of Vulnerability Found in WordPress File Manager Plugin Version 6.4

Its exploit has gained huge popularity once it’s discovered, and it’s even responsible for impacting at a high level with low requirements. It has seen hundreds to thousands of requests through malicious actors that attempted to exploit it. The first attack due to this vulnerability was found on August 31, 2020, the day before the plugin got updated. And, within an hour, it started reporting 1.5K attacks every hour. Further, on September 1, 2020, it got attacked on an average of 2.5K attacks per hour, and on September 2, 2020, it peaked at 10K+ attacks per hour.

Here’s the Brief Timeline of Vulnerability

  • May 5, 2020: File manager released version 6.4 that came out with severe vulnerability.
  • August 25, 2020: An exploit released on GitHub for the File Manager.
  • August 31, 2020: Attacks started appearing against this File Manager WordPress plugin.
  • September 1, 2020: The plugin version 6.9 released that fixed this vulnerability.
However, the major issue is that even after the patches are released, according to data, few have updated this new patch, and many still run that un-patched version that keeps them open to attack. If you’re using this File Manager WordPress plugin, it’s recommended to update it, or else if you’re aren’t, then completely remove this plugin.


Here, we’ve detailed a vulnerability that has exploited the File Manager WordPress plugin that lets attackers execute arbitrary code on a WordPress site without any authentication. Though the vulnerability has been solved and even the patch has been released, the main issue is that many still haven’t updated the plugin, which is one of the main issues of website owners that they don’t regularly check for updates.

Further, the main barrier between development and the deployed solutions is a thin line between security vulnerabilities. Though these mistakes and misfortunes happen, website owners’ responsibility is to keep their site safe. For instance, for this WordPress, File Manager plugin related vulnerability patch is already released. So, if you haven’t patched yet, then you should do it or remove the plugin.

Furthermore, users are suggested to go for known and respected WAF (Web Application Firewall) such as Sectigo Web Firewall. It blocks all the malicious payloads by default through their exploitation rules, policies, and comprehensive protection through their huge database of 10M+ threats, cloud-based technology to deploy and protect the site, and easy to generate detailed reports making complex security easy and simple.

Disclosure: AboutSSL appreciates your continuous support. It helps us tremendously to keep moving in the competitive SSL industry. Here most of the links which direct you to buy any SSL/TLS related service or products earns us a certain percentage of referral commission. Learn More