WordPress File Manager Plugin Remote Code Execution Vulnerability

A remote code execution vulnerability exists in the WordPress File Manager plugin, specifically in versions 6.0 through 6.8. The issue arises because the plugin renames an example elFinder connector file to have a .php extension, allowing remote attackers to upload and execute arbitrary PHP code. Exploitation involves using the elFinder upload command to write PHP scripts into a directory where they can be executed.

Impact

Exploitation of this vulnerability allows for unauthorized remote code execution on the affected WordPress site.

Reproduction

To reproduce this vulnerability, upload a PHP file disguised as an image through the elFinder upload command via the vulnerable connector file. The uploaded file will be executed on the server, allowing for remote code execution.

Remediation

Users are advised to update the WordPress File Manager plugin to version 6.9 or later, as this version addresses the vulnerability by removing the problematic connector file. After updating, it's recommended to scan the site for any signs of exploitation, such as uploaded web shells, and to clean up any infections before restoring the site.