TTCSIRT-355.09.07.20: TT-CSIRT ADVISORY – WordPress File Manager Plugin Vulnerability

Security researchers have identified a high severity vulnerability in the WordPress File Manager plugin. This vulnerability allows unauthenticated users to execute commands and upload malicious files on a target site.

All WordPress versions running the File Manager plug-in before version 6.9 are vulnerable.

The File Manager plugin is designed to help WordPress administrators manage files on their sites. The plugin contains an additional library, elFinder, which is an open-source file manager designed to create a simple file management interface and provides the core functionality behind the file manager. The File Manager plugin uses the library in a way that introduced a vulnerability.

CISA encourages users to immediately patch the File Manager plug-in to version 6.9 in order to mitigate this vulnerability.

For further information and support, please visit the following link:
https://www.wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/


If you have any queries or comments with regards to this advisory, please feel free to contact TTCSIRT via contacts@ttcsirt.gov.tt