An advisory was issued for three WordPress file management plugins that are affected by a vulnerability that allows unauthenticated attackers delete arbitrary files. The three plugins are installed in over 1.3 million websites.
Outdated Version Of elFinder
The vulnerability is caused by outdated versions of the elFinder file manager, specifically versions 2.1.64 and earlier. These versions contain a Directory Traversal vulnerability that allows attackers to manipulate file paths to reach outside the intended directory. By sending requests with sequences such as example.com/../../../../, an attacker could make the file manager access and delete arbitrary files.
Affected Plugins
Wordfence named the following three plugins as affected by this vulnerability:
1. File Manager WordPress Plugin
Installations: 1 Million
2. Advanced File Manager – Ultimate WP File Manager And Document Library Solution
Installations: 200,000+
3. File Manager Pro – Filester
Installations: 100,000+
According to the Wordfence advisory, the vulnerability can be exploited without authentication, but only if a site owner has made the file manager publicly accessible, which mitigates the possibility of exploitation. That said, two of the plugins indicated in their changelogs that an attacker needs at least a subscriber level authentication, the lowest level of website credentials.
Once exploited, the flaw allowed deletion of arbitrary files. Users of the named WordPress plugins should consider updating to the latest versions.
Featured Image by Shutterstock/Lili1992
