WordPress Plugin File Manager Shows a Vulnerability That is Now Being Targeted by Threat Actors.


Cyber attacks are becoming an increasingly concerning issue for the internet community. Defiant, researchers at WordPress security observed an overwhelming increase in the number of attacks targeting a recently discovered vulnerability in WP plugin File Manager.

Earlier in September, it was discovered that hackers were uploading scripts and arbitrary code on WP sites that were being operated on the vulnerable version of the plugin.

The File Manager plugin is currently installed on approximately 700,000 WP sites allowing users to easily manage files directly from the WP platform.

Gonzalo Cruz from Arsys was the one to discover vulnerabilities and confirmed that hackers have been exploiting the vulnerability to upload infected PHP files to WP sites.

The developers instantly patched the vulnerability by releasing version 6.9 of the software.
WordFence, WP’s security firm confirmed that its Web App Firewall blocked over 450,000 exploit attempts.

WordPress mentioned – “The Wordfence firewall has blocked over 450,000 exploit attempts targeting this vulnerability over the past several days. We are seeing attackers attempting to inject random files, all of which appear to begin with the word “hard” or “x. From our firewall attack data, it appears that attackers may be probing for the vulnerability with empty files and if successful, may attempt to inject a malicious file. Here is a list of some of the files we are seeing uploaded:


WordFence revealed that the hackers were trying to upload unsecure PHP files to “wp-content/plugins/wp-file-manager/lib/files/folder”.

Reportedly, after the vulnerabilities were patched, the threat actors started targeting unpatched installs.

Over 1.7 million files have been targeted by hackers, with numbers reaching 2.6 million as of September 10 2020.

A Moroccan threat actor has come to limelight, known by the alias “Bajatax” is observed to be targeting vulnerabilities at a wide scale.

A second cyber criminal has been observed to be targeting websites and protecting the connector.minimal.php file with a password to prevent further infection.