On 01/09/2020, a critical vulnerability was identified in the WordPress file manager plugin. The vulnerability allows remote attackers to upload and execute arbitrary PHP code on the target site. This vulnerability affects WordPress file manager plugin versions 6.0 to 6.8.
Members are strongly advised to upgrade the file manager plugin to the fixed version, 6.9.
The vulnerability is being actively scanned for and exploited.
Recommendations:
• Check all WordPress sites for the file manager plugin
• Upgrade the plugin to version 6.9, if not already done so
• Check for any indicators of compromise
• Report as necessary to Janet CSIRT
Indicators of compromise:
The below files posted to a vulnerable WordPress file manager version.
• Feoidasf4e0_index.php
• hardfork.php
• hardfind.php
• x.php
The following source IP’s have been seen scanning and/or exploiting this vulnerability.
• 188.165.217.134
• 192.95.30.59
• 192.95.30.137
• 198.27.81.188
• 46.105.100.82
• 91.121.183.9
• 185.81.157.132
• 185.222.57.183
• 185.81.157.236
• 185.81.157.112
• 94.23.210.200
• 185.222.57.93
• 185.81.157.177
• 185.81.157.133
Full details and references: