Security researchers have discovered a serious security flaw in the WordPress plugin WP File Manager. Although the problem was resolved with an update, it seems that unknown persons had already actively exploited the vulnerability. Another serious security hole was discovered in a WordPress plugin. This time the WP File Manager plug-in, which is used by around 700,000 websites, is affected. The vulnerability allows attackers to upload files, modify them, and ultimately even take over the entire website. The manufacturer has fixed the problem with an update. As the Finnish security company Seravo reports, the loophole was apparently already actively exploited by strangers to take over WordPress sites. If you use WP File Manager, you should urgently update to version 6.9 of the plugin. Alternatively, Seravo recommends uninstalling the software. Simply deactivating the plugin, however, is not enough to close the gap.
According to the security company Sucuri, the security gap has existed since version 6.4 of the plugin. The version was released about four months ago. Apparently the developers accidentally renamed a feature testing file from .php.distto .phpand added it to the project. The file belongs to the open-source project elFinder.