WordPress File Manager Plugin Exploit for Unauthenticated RCE - Tutorial Boy -->
Home
Poc

WordPress File Manager Plugin Exploit for Unauthenticated RCE


A critical vulnerability was found on one of the popular WordPress plugins called File Manager. The successful exploit of this vulnerability leads to complete hijacking of the target site and the best part is the attacker does not require any credentials for this.

What Was That Plugin?

To help carry out these operations in an easy manner, the WordPress file manager plugin comes into the picture. This plugin allows editing, delete, upload, download, copy, and paste files and folders directly from the WordPress backend.
WordPress Popular File Manager plugin
It has over 600K active installation and the to date the latest version is 6.9 which was last updated a month ago. To run this plugin, PHP version 5.2.4 or higher is required and it is tested till WordPress version 5.5.1.
I will start by walking you through the vulnerability, and followed by a demonstration on how to exploit this issue. A point to note here is this vulnerability affects WordPress file manager plugin version 6.0 to 6.8 only.

 The Vulnerability:- 

File Manager plugin use elFinder library and the issue starts when it renames the connector.minimal.php.dist by removing .dist.
This file is hooked to elFinderConnector.class.php and used to initiate the elFinder commands. After analyzing the run function, it was found Any parameter sent in a request connector.minimal.php would be processed by the run function in elFinderconnector.class.php. Let me quickly show you the available commands in elFinder.class.php.

Also, talking about the no authentication, the endpoint connector.minimal.php is directly accessible without login.

Here I have a simple script that would print the PHP information. I will upload this file using a simple form element. I have hosted this file locally using python and when I access this file and upload the same, it is uploaded in /wp-content/plugins/wp-file-manager/lib/files location which we are going to access and observe that we can get the PHP information. also, if I go to the server and we can see that the file is uploaded.
Remediation:

The patch for this issue is released, and I highly recommend the upgraded the plugin to the latest version ie 6.9 as soon as possible.

Post a Comment