Hackers are exploiting a critical vulnerability that allows them to execute commands and malicious scripts on websites running FileManager, a WordPress plugin. The vulnerability lies in versions of the popular third-party plugin WordPress File Manager, which is installed on over 700,000 websites.
WordPress File Manager is a tool to make it simple for webmasters to upload, edit, archive, and deletes folders on their website’s backend. Hackers have found a way to exploit version 6.8 and below of WordPress File Manager to inject malicious code onto websites without authorization, creating backdoors for further abuse. The hackers are said to be uploading files that contain web shells that are hidden in an image. While that restriction prevents hackers from executing commands outside of the directory, hackers can cause more damage by uploading scripts that can carry out an action on other parts of the website.
WordPress security firm Wordfence has blocked over 450,000 exploit attempts in the last several days. While the makers of WordPress File Manager to resolve the issue have issued an update ( version 6.9) on September 1st, 2020, while there are still hundreds of thousands of websites are still thought to be running on the vulnerable version of the plugin.
Certain WordPress plugins are available, which are evenly coated. These plugins may also contribute to the speed of a site. Therefore, if you want your site to work faster, always choose the lightweight/faster plugins available. Check onto the plugin in detail and then integrate it with the WordPress site.