After WordPress launched WordPress 5.5, there were be outrages of the users on WordPress 5.5 site crash and a flaw in the File Manager plugin. The Sucuri WordPress security team has developed a patched an actively-exploited security issue permitting full website hijacking.
Patch released in 6.9 version
The 6.4 version of the plugin that was released on May 5 has been installed by around 700,000 users. Although a file was renamed in the plugin for development and testing purposes. the renamed file was accidentally added to the project. This file was the main issue in the FTP bug. ElFinder’s script provides the users with advanced privileges for modifying, uploading, and deleting files.
“This change allowed any unauthenticated user to directly access this file and execute arbitrary commands to the library, including uploading and modifying files, ultimately leaving the website vulnerable to a complete takeover,” Sucuri said.
After the first attack was done on 31st August, a fixed version of the file manager was released. The solution of the bug was included in the new version of 6.9. The statistics of the attack shows that there were be an average of 2,500 attacks every 60 minutes. 10,000 attacks per hour were recorded by September 2.