Overview
The WordPress File Manager plugin versions prior to 6.9 contains a critical unauthenticated remote code execution vulnerability. An attacker can upload arbitrary PHP files through the plugin without authentication, allowing execution of malicious code on the affected WordPress installation. The vulnerability was disclosed on September 9, 2020. CISA has identified CVE-2020-25213 as being exploited but is not currently known to be used in ransomware campaigns.
Technical details
The WordPress File Manager plugin fails to properly validate and restrict file uploads, allowing unauthenticated users to upload arbitrary PHP files to the server. The vulnerability exists in the plugin's file upload functionality, which does not require authentication or implement adequate file type validation. Once uploaded, the PHP files can be executed by accessing them through the web server, leading to complete compromise of the WordPress installation.
The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) andCWE-862 (Missing Authorization) .
The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating its critical nature.
Impact
Successful exploitation allows an unauthenticated attacker to gain complete control of the affected WordPress installation. An attacker can upload a PHP web shell, execute arbitrary code with the privileges of the web server user, steal sensitive data including database credentials and user information, modify site content, inject malicious code into the website, create backdoors for persistent access, launch further attacks against other systems on the network, or completely take down the website.
Mitigation and workarounds
Update the File Manager plugin to version 6.9 or later through WordPress dashboard: Plugins > Installed Plugins > File Manager > Update Now. Alternatively, manually download and install the patched version from wordpress.org/plugins/file-manager/ The following versions include the necessary fixes: 6.9, 6.9.1, 6.9.2.
As temporary workarounds: disable the file manager plugin immediately if an update is not available. deactivate and delete the plugin from plugins menu.; restrict access to the plugin's upload endpoint using web application firewall (waf) rules or server-level configuration (.htaccess for apache or nginx rules) to block requests to the vulnerable upload endpoints.; configure php execution settings to disable php execution in the upload directories using .htaccess rules: 'php_flag engine off' or nginx configuration to prevent php execution in wp-content/plugins directories., and monitor upload directories and web server logs for suspicious file uploads and execute attempts, particularly looking for newly uploaded .php files in plugin directories..
CISA's recommendation: Apply updates per vendor instructions.
Additional resources
Source: This report was generated using AI
