The Wordfence Threat Intelligence team is seeing a dramatic increase in attacks targeting the recent 0-day in the WordPress File Manager plugin.

This plugin is installed on over 700,000 WordPress websites, and we estimate that 37.4% or 261,800 websites are still running vulnerable versions of this plugin at the time of this publication.

The vulnerability originated from the remains of a development environment on version 6.4 nearly 4 months ago, where a file was renamed to test certain features. The renamed file was accidentally added to the project instead of being kept as a local change.

The original file, provided by a third-party dependency elFinder, originally had the .php.dist extension and was to be used as a code example or reference during development, but was changed to .php by the File Manager team during development.

This change allowed any unauthenticated user to directly access this file and execute arbitrary commands to the library, including uploading and modifying files, ultimately leaving the website vulnerable to a complete takeover.

The solution applied by the plugin team was to delete this file, which was never used by the plugin itself, and all of the other unused files ending with .php-dist to prevent it from reoccurring.

The following IP addresses have each attacked over 100,000 sites since September 3, 2020:

188.165.217.134
192.95.30.59
192.95.30.137
198.27.81.188
46.105.100.82
91.121.183.9
185.81.157.132
185.222.57.183
185.81.157.236
185.81.157.112
94.23.210.200

If you find that your site’s functionality requires consistent usage of the File Manager plugin, ensure it is updated to version 6.9, which patched this vulnerability.