Hackers are exploiting a flaw within WordPress plugin File Manager to break into websites, posing a threat to more than 52 percent of 700,000 active installations, researchers warned on Tuesday.
Thai website security firm NinTechNet was among the first to catch and report the attacks. According to CEO Jerome Bruandet, hackers were trying to crack websites first, but are highly likely to come back later since they password-protected the access to the infected files/sites. He added that they will learn hackers' intentions in the next few days, when they return.
"All commands can be run in the /lib/files folder (create folders, delete files etc), but the most important issue is that they can upload PHP scripts into that folder too, and then run them and do whatever they want to the blog", Bruandet said in an e-mail on Tuesday.
Another website security firm Wordfence said that it blocked more than 450,000 attacks in recent days. Hackers were trying to inject files, mostly empty, apparently in order to upload malware later. Exploiting a flaw in a plugin like File Manager could allow attackers to operate directly from the WordPress dashboard. By cracking the admin area of the website, they could expand the capacity of the attacks.
"For example, an attacker could gain access to the admin area of the site using a compromised password, then access this plugin and upload a webshell to do further enumeration of the server and potentially escalate their attack using another exploit", Chloe Chamberland, a researcher with Wordfence, said.
The flaw is only in File Manager versions ranging from 6.0 to 6.8, so researchers recommend updating them to 6.9 as soon as possible.