Matthew Widdop
Matty is a Digital SEO Executive at Intelligency, helping our clients to improve their digital performance. Matty is currently studying for his Level 3 Multi-Channel Marketer apprenticeship and has completed a Sport Journalism Degree at the University of Huddersfield.
A vulnerability across 3 WordPress file plug-ins is leaving up to 1.3 million sites on the platform susceptible to cyber attacks. The plug-ins affected include File Manager WordPress Plugin, Advanced File Manager and File Manager Pro.
How are sites affected?
The core vulnerability can be exploited by anyone on the internet, without a login, if the file manager has been set to publicly accessible. Once the hackers exploited the plugin they can start deleting files on your site causing major damage. This could lead to themes, plug-ins and media libraries being completely wiped out or completely disabling a site, leading to major SEO ranking drops, financial loss and damage to brand reputation.
How is the vulnerability caused?
The vulnerability is caused by outdated versions of elFinder file manager. Elfinder is not a WordPress plugin but rather an open-source file manager library that can be integrated into other tools. These vulnerable WordPress plugins use elFinder to provide their file management features. Versions from 2.1.64 and earlier are susceptible and are easily manipulated by attackers.
How to fix the issue
Site owners can make sure their sites stay safe by simply updating to the latest versions of the plug-ins which don’t use the susceptible version of elFinder and also ensure all file managers are not publicly accessible on their site. Make sure to restrict access only to accounts that are trusted such as admins.
How this affects Site Owners
This is not the first and won’t be the last case of WordPress plugin vulnerabilities causing issues for site owners. Many of these vulnerabilities often come from third party libraries. Site owners need to continually monitor plug-ins and make sure they are updated promptly when possible to reduce the risk of vulnerability.
