tencent cloud

Log In Sign Up Free

Detect AI Fraud with Tencent eKYC！Intercept 99%+ Deepfake Attacks!

Web Application Firewall

Release Notes and Announcements

Product Announcement

Adjusting Billing of WAF BOT Traffic Management

Security Advisory

Notice for Apache Log4j 2 RCE Vulnerability (CVE-2021-44832)

Notice for Apache Log4j 2 RCE Vulnerability (CVE-2021-45046)

Notice for Apache Log4j 2 RCE Vulnerability (CVE-2021-44228)

Notice for WebLogic Console HTTP RCE Vulnerability

Notice for Exchange Server Command Execution Vulnerability

Notice for Yonyou GRP-U8 SQL Injection Vulnerability

Notice for Apache Cocoon XXE Vulnerability (CVE-2020-11991)

Notice for WordPress File Manager Arbitrary Code Execution Vulnerability

Jenkins Security Advisory for September

Notice for Apache Struts 2 RCE Vulnerabilities (CVE-2019-0230 and CVE-2019-0233)

Notice for Apache SkyWalking SQL Injection Vulnerability (CVE-2020-13921)

Product Introduction

Product Category

Plans and Editions

Supported Regions

Purchase Guide

Billing Overview

Chinese Mainland

WAF Plan Upgrade Method

Renewing Connections

Payment Overdue

Getting Started

Getting Started

FAQs for Beginners

Operation Guide

SaaS WAF Connection

Step 1. Add a Domain Name

Step 2. Perform Local Testing

Step 3. Modify DNS Resolution

Step 4. Configure a Security Group

Step 5. Verify the Configuration

CLB WAF Connection

Step 1. Confirm CLB Configuration

Step 2. Bind Domain Name to CLB Instance

Step 3: Verify the configuration

Connect Via Instance Object

Cloud-Native Instance Object Access

Bot and Application Security

Bot Settings

Bot Management

Client Risk Identification

Bot Analytics

Threat Intelligence Module

Bot Flow Statistics Module

Action Settings

Bot Traffic Visibility

Bot Traffic Analysis

Bot Traffic Details

Asset Center

Instance Management

Domain Name List

Advanced Connection Feature

API Asset Management

Basic Security Configurations

IP Blocking Penalty

Region Blocking

CC Protection Rule Settings

Web Tamper Protection

Data Leakage Protection

API Security Management

API Traffic Analysis

Threat Operation

API Event Management

Bot Event Management

Blocklist/Allowlist Protection Settings

Precise Allowlist Management

Traffic Inspection

Statistics and Logs

Sandbox Isolation Status

Practical Tutorial

WAF CCP Overview

Bot Management

Best Practices of Scenario-Based Bot Configuration

Best Practices of Bot Traffic Management Connection

API Security

API Security Practice Tutorial

WAF Working with API Gateway

API Capacity Protection

API Data Security and Enhancement

API Exposure Management

API Behavior Control

Integration

Combined Application of WAF and Anti-DDoS Pro

Applying for and Using Free HTTPS Certificates

Obtaining Real Client IPs

Replacing Certificate

Protection Configuration

Setting CC Protection

Connecting Frontend-Backend Separated Site to WAF CAPTCHA

Setting WAF Exception Alarms in TCOP

API Documentation

Making API Requests

Request Structure

Asset Management APIs

DescribeDomains

Billing APIs

GenerateDealsAndPayNew

DescribeInstances

Protection Settings APIs

Other APIs

IP Management APIs

DeleteIpAccessControlV2

DescribeBatchIpAccessControl

DescribeIpAccessControl

CreateIpAccessControl

ModifyIpAccessControl

ImportIpAccessControl

Integration APIs

DescribeHostLimit

DescribeUserDomainInfo

DescribeCertificateVerifyResult

DescribeTlsVersion

ModifyHostFlowMode

ModifySpartaProtection

AddSpartaProtection

DescribeUserClbWafRegions

RefreshAccessCheckResult

DeleteSpartaProtection

DescribeCiphersDetail

DescribeDomainDetailsClb

DescribeDomainDetailsSaas

ModifyDomainIpv6Status

DescribeVipInfo

Log Service APIs

GetAttackHistogram

GetAttackTotalCount

ModifyDomainPostAction

SearchAttackLog

Security Overview APIs

DescribeAttackType

DescribeHistogram

DescribePeakPoints

DescribePolicyStatus

DescribeTopAttackDomain

DescribeAttackOverview

FAQS

Product Consultation

Connection

Associated Product

Service Level Agreement

WAF Policy

Data Processing And Security Agreement

DocumentationWeb Application FirewallRelease Notes and Announcements Security AdvisoryNotice for WordPress File Manager Arbitrary Code Execution Vulnerability

Notice for WordPress File Manager Arbitrary Code Execution Vulnerability

Last updated: 2022-06-23 11:14:27

Notice for WordPress File Manager Arbitrary Code Execution Vulnerability

Last updated: 2022-06-23 11:14:27

On September 6, 2020, Tencent Security noticed an arbitrary code execution vulnerability in the File Manager plugin of WordPress. Attackers can exploit this vulnerability to upload trojans and run arbitrary commands and malicious scripts on WordPress websites that contain File Manager.
Tencent Security has captured exploitations in the wild (ITW), and Tencent Cloud WAF currently supports defense against them.
Vulnerability Details
Tencent Security noticed an arbitrary code execution vulnerability in the File Manager plugin of WordPress. Attackers can exploit this vulnerability to upload trojans and run arbitrary commands and malicious scripts on WordPress websites that contain File Manager. In the plugin library of wordpress.org, the version 6.8 provided by File Manager before September 1, 2020 is the affected version, which can be used by attackers to damage websites.
File lib/php/*.php can be by default opened directly, and this file loads lib/php/*.php which reads POST/GET variables, and then allows executing some internal features, like uploading files. PHP is allowed, thus this leads to unauthenticated arbitrary file upload and remote code execution.
Affected Versions
WordPress File Manager < 6.9
Suggestions for Fix
An upgraded plugin has been officially released to fix this vulnerability. Tencent Security recommends you:
Update WordPress File Manager to 6.9 or later.
Use WAF to detect and block attacks.
References
CVE 2020-25213

Was this page helpful?

You can also Contact Sales or Submit a Ticket for help.

Yes

No

Contact Us

Contact our sales team or business advisors to help your business.

Technical Support

Open a ticket if you're looking for further assistance. Our Ticket is 7x24 available.

7x24 Phone Support

Hong Kong, China

+852 800 906 020 (Toll Free)

United States

+1 844 606 0804 (Toll Free)

United Kingdom

+44 808 196 4551 (Toll Free)

Canada

+1 888 605 7930 (Toll Free)

Australia

+61 1300 986 386 (Toll Free)

EdgeOne hotline

+852 300 80699

More local hotlines coming soon