A significant security vulnerability has been identified and patched in the widely used File Manager plugin for WordPress, affecting over 1 million websites. The vulnerability is rated 8.1 out of 10 in severity and could potentially allow unauthenticated attackers to gain access to sensitive information including data contained in site backups.
Unauthenticated Attack Vulnerabilities
What makes this vulnerability a high concern is the fact that a hacker does not need login credentials in order to launch an attack, which is what is meant by the term unauthenticated.
In the context of a WordPress plugin vulnerability, an attacker can gain access to sensitive information without needing to log in or authenticate their identity. This kind of attack exploits a security gap the File Manager plugin referred to as Use of Insufficiently Random Values.
The Common Weakness Enumeration security website describes this kind of vulnerability:
“The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
When product generates predictable values in a context requiring unpredictability, it may be possible for an attacker to guess the next value that will be generated, and use this guess to impersonate another user or access sensitive information.”
This category of vulnerability is due to a weakness in the File Manager plugin’s backup filename generation algorithm. The algorithm combines a timestamp with a four-digit random number but that amount of randomization is not random enough to keep an attacker from successfully guessing the file names and as a consequence enables attackers to gain access to backup files in configurations where there is no .htaccess file to block access.
Use of Insufficiently Random Values Vulnerability
The Use of Insufficiently Random Values vulnerability type is a flaw in the plugin that relies on generating random and unpredictable file numbers in order to prevent attackers from guessing what a backup file name is. The plugins lack of randomization allows an attacker to figure out the file names and gain access to sensitive information.
Vulnerable Versions Of The Plugin
The security vulnerability is found in all versions up to and including 7.2.1 and was patched in the latest update of the plugin, with the release of version 7.2.2.
The update, as noted in the File Manager WordPress Plugin Changelog Documentation, includes a fix for the security issue. Users of the plugin are strongly advised to consider updating to this latest version to protect their websites from potential exploits.
Read the Wordfence advisory for more information:
File Manager <= 7.2.1 – Sensitive Information Exposure via Backup Filenames
Featured Image by Shutterstock/Perfect_kebab