tencent cloud

PrevNext

Feedback

search by keyword

Recent Pages

Documentation
Web Application Firewall
    Documentation
    Download PDF

    Notice for WordPress File Manager Arbitrary Code Execution Vulnerability

    Last updated: 2022-06-23 11:14:27
    Download PDF
      On September 6, 2020, Tencent Security noticed an arbitrary code execution vulnerability in the File Manager plugin of WordPress. Attackers can exploit this vulnerability to upload trojans and run arbitrary commands and malicious scripts on WordPress websites that contain File Manager.
      Tencent Security has captured exploitations in the wild (ITW), and Tencent Cloud WAF currently supports defense against them.

      Vulnerability Details

      Tencent Security noticed an arbitrary code execution vulnerability in the File Manager plugin of WordPress. Attackers can exploit this vulnerability to upload trojans and run arbitrary commands and malicious scripts on WordPress websites that contain File Manager. In the plugin library of wordpress.org, the version 6.8 provided by File Manager before September 1, 2020 is the affected version, which can be used by attackers to damage websites.
      File lib/php/*.php can be by default opened directly, and this file loads lib/php/*.php which reads POST/GET variables, and then allows executing some internal features, like uploading files. PHP is allowed, thus this leads to unauthenticated arbitrary file upload and remote code execution.

      Affected Versions

      WordPress File Manager < 6.9

      Suggestions for Fix

      An upgraded plugin has been officially released to fix this vulnerability. Tencent Security recommends you:
      Update WordPress File Manager to 6.9 or later.
      Use WAF to detect and block attacks.

      References

      Contact Us

      Contact our sales team or business advisors to help your business.

      Contact Us
      Technical Support

      Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

      Submit a Ticket
      7x24 Phone Support
      Copyright © 2013-2024 Tencent Cloud. All Rights Reserved.
      Privacy PolicyLegalCookie Policy