WordPress Websites Attacked via Vulnerability in File Manager Plugin
Here is The Story:
Recently, a zero day vulnerability was discovered by Seravo - a Finnish hosting provider. Hackers found a vulnerability in the plugin, “WordPress File Manager.” This exploit allowed the hackers to upload files, and remotely execute code on any WordPress Site with the plugin installed.
WordPress (WP) is an internet company who provides an easy tool for building websites requiring little to no coding. WordPress comes stocked with many features including the ability to use third party plugins, some of which cost money.
One of the most popular plugins, WordPress File Manager, was a tool used by many WordPress website managers to edit, upload, delete, and archive files on the backend of their site.
The recently discovered exploit allows hackers to escalate privileges and essentially do whatever they want with any website that has the WordPress File Manager Plugin. It is likely that the hackers could have implemented password phishing to obtain a database of passwords for WordPress users. They also could have done other things like completely take a site offline and stop if from working - similar to the effects of a DDOS attack - but worse.
WP FileManager has been installed on over 700,000 websites, which is a huge chunk of them. WP File Manager’s creators patched this vulnerability as quickly as possible resolving the vulnerability, but there is still a huge issue.
Hundreds of thousands of small businesses have not updated and are still vulnerable. This is why it is important to follow Networking websites such as The Network Post to stay up to date on the largest networking news stories.
Sadly, many small business owners who do not keep up to date may have no idea how to access their backend as they might have payed a WordPress developer a one time charge to build their website leaving the site permanently vulnerable.
If you were effected, you should reinstall WordPress and change all of the passwords to something secure, new, and unique. You should also send out an email to the users of your website if you have any, asking them to change their passwords as well.