WordPress File Manager Plugin Exploit for Unauthenticated RCE

Pawan Jaiswal
Nov 7, 2020 · 4 min read
WordPress File Manager RCE

In the 1st week of September, a critical vulnerability was found on one of the popular WordPress plugins called File Manager. The successful exploit of this vulnerability leads to complete hijacking of the target site and the best part is the attacker does not require any credentials for this.

Tell me more about WordPress?

WordPress is a content management system written in PHP and paired with MYSQL or MariaDB. To manage WordPress files and folder and do any kind of operation on those, WordPress administrator use to either do that via FTP, SCP, Cpanel, etc which was a time-consuming and tedious task.

WordPress look and feel for the default theme

What was that plugin?

To help carry out these operations in an easy manner, the WordPress file manager plugin comes into the picture. This plugin allows to edit, delete, upload, download, copy, and paste files and folder directly from the WordPress backend.

WordPress Popular File Manager plugin

It has over 600K active installation and the to date the latest version is 6.9 which was last updated a month ago. To run this plugin, PHP version 5.2.4 or higher is required and it is tested till WordPress version 5.5.1.

file manager plugin in detail

I will start by walking you through the vulnerability, and followed by a demonstration on how to exploit this issue. A point to note here is this vulnerability affects WordPress file manager plugin version 6.0 to 6.8 only.

Could you please elaborate on the vulnerability?

File Manager plugin use elFinder library and the issue starts when it renames the connector.minimal.php.dist by removing .dist. This file is hooked to elFinderConnector.class.php and used to initiate the elFinder commands. After analyzing the run function, it was found Any parameter sent in a request connector.minimal.php would be processed by the run function in elFinderconnector.class.php. Let me quickly show you the available commands in elFinder.class.php.

list of valid command from the plugin

Also, taking about the no authentication, the endpoint connector.minimal.php is directly accessible without login.

accessing endpoint without credentials

Now, let jump with the exploit, Here I have a simple script that would print the PHP information. I will upload this file using a simple form element. I have hosted this file locally using python and when I access this file and upload the same, it is uploaded in /wp-content/plugins/wp-file-manager/lib/files location which we are going to access and observe that we can get the PHP information. also, if I go to the server and we can see that the file is uploaded.

display target PHP information confirming rce

Now, I am going to upload a PHP reverse shell on the target site using the curl command and execute the same. the curl payload looks like this. and once I execute this, we can access the same and gain a shell. On the other hand, I have set up a Netcat listener and when I access the file I can get the shell.

reverse shell from the target system

Remediation:

The patch for this issue is released, and I highly recommend the upgraded the plugin to the latest version ie 6.9 as soon as possible.

Do you have a POC video for the same? Where can I find it?

I have also created a POC video explaining and exploiting the vulnerability. If you are interested please a look at the video as well.

Disclaimer:

Neither I have found this critical vulnerability nor taking any credits for the CVE (CVE-2020–25042). I have only created the video after analyzing the description available on various blogs and public forums to help security enthusiasts educate about this issue. I am not responsible for any damage caused to an organization using this exploit & I would advise the users not to exploit this vulnerability without written consent from the organization as it may expose the organization open to attacks by other hackers.

Sign up for Top 10 Stories

By The Startup

Get smarter at building your thing. Subscribe to receive The Startup's top 10 most read stories — delivered straight into your inbox, once a week. Take a look.

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

The Startup

Get smarter at building your thing. Follow to join The Startup’s +8 million monthly readers & +787K followers.

Pawan Jaiswal

Written by

Security Engineer @ CISION | CEH | OSCP | HTB | CTF | Bug Bounty Hunter | Security Researcher | Full Stack Developer

The Startup

Get smarter at building your thing. Follow to join The Startup’s +8 million monthly readers & +787K followers.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store