Millions of WordPress sites are facing attacks following the discovery of a security flaw in a popular plugin, according to TechRadar. Researchers at security firm Defiant have warned that the File Manager plugin used by hundreds of thousands of WordPress sites has a zero-day vulnerability, allowing hackers to launch attacks on users. This flaw could allow attackers to upload malicious files onto WordPress sites that have not updated with the latest version of File Manager. Defiant, which operates the web firewall service Wordfence, says it has recorded attacks against 1.7 million sites since the vulnerability was first exploited, with 11 sites being targeted more than 100,000 times. The developers of the File Manager plugin have created and released a patch for the vulnerability, with users urged to update their software as soon as possible. Given the reach that File Manager allows a user on the wp-admin dashboard, the plugin could present attackers with access to all facets of affected WordPress sites.
Full story here: https://www.zdnet.com/
The biggest saga for web admins is keeping on top of the constant flow of threats: if you aren’t constantly vigilant, one could slip through the net. Unpatched plugins can be highly attractive to threat actors due to the sheer volume of WordPress sites and it is not uncommon for attackers to continually attempt exploiting a vulnerability, especially one that can take advantage of admin privileges. WordPress plugins should always be monitored closely by their admins and when updates are released they should be upgraded to the latest version immediately.
It is critical to keep a close eye on all areas of a WordPress admin section and keep all third party plugins updated as soon as patches are offered. Patching is a key process for any organisation – and failing to do so could result in a very costly outcome.
This is problematic since the plugin concerned is popular and the attack is from unauthenticated access to code execution on the vulnerable systems. Patches are available, and there are some time settings in WordPress to automatically update plugins, so many will already be protected, and others have good means of raising their security, but sadly there are many outdated sites and not maintained that will suffer breaches as a result of this.