WordPress File Manager Plugin Exploit for Unauthenticated RCE
In the 1st week of September, a critical vulnerability was found on one of the popular WordPress plugins called File Manager. The successful exploit of this vulnerability leads to complete hijacking of the target site and the best part is the attacker does not require any credentials for this.
Tell me more about WordPress?
WordPress is a content management system written in PHP and paired with MYSQL or MariaDB. To manage WordPress files and folder and do any kind of operation on those, WordPress administrator use to either do that via FTP, SCP, Cpanel, etc which was a time-consuming and tedious task.
What was that plugin?
To help carry out these operations in an easy manner, the WordPress file manager plugin comes into the picture. This plugin allows to edit, delete, upload, download, copy, and paste files and folder directly from the WordPress backend.
It has over 600K active installation and the to date the latest version is 6.9 which was last updated a month ago. To run this plugin, PHP version 5.2.4 or higher is required and it is tested till WordPress version 5.5.1.
I will start by walking you through the vulnerability, and followed by a demonstration on how to exploit this issue. A point to note here is this vulnerability affects WordPress file manager plugin version 6.0 to 6.8 only.
Could you please elaborate on the vulnerability?
File Manager plugin use elFinder library and the issue starts when it renames the connector.minimal.php.dist by removing .dist. This file is hooked to elFinderConnector.class.php and used to initiate the elFinder commands. After analyzing the run function, it was found Any parameter sent in a request connector.minimal.php would be processed by the run function in elFinderconnector.class.php. Let me quickly show you the available commands in elFinder.class.php.
Also, taking about the no authentication, the endpoint connector.minimal.php is directly accessible without login.
Now, let jump with the exploit, Here I have a simple script that would print the PHP information. I will upload this file using a simple form element. I have hosted this file locally using python and when I access this file and upload the same, it is uploaded in /wp-content/plugins/wp-file-manager/lib/files location which we are going to access and observe that we can get the PHP information. also, if I go to the server and we can see that the file is uploaded.
Now, I am going to upload a PHP reverse shell on the target site using the curl command and execute the same. the curl payload looks like this. and once I execute this, we can access the same and gain a shell. On the other hand, I have set up a Netcat listener and when I access the file I can get the shell.
Remediation:
The patch for this issue is released, and I highly recommend the upgraded the plugin to the latest version ie 6.9 as soon as possible.
Disclaimer:
Neither I have found this critical vulnerability nor taking any credit for this CVE. I have only created the video after analyzing the description available on various blogs and public forums to help security enthusiasts educate about this issue. I am not responsible for any damage caused to an organization using this exploit & I would advise the users not to exploit this vulnerability without written consent from the organization as it may expose the organization open to attacks by other hackers.