The Wordfence Threat Intelligence team is seeing a dramatic increase in attacks targeting the recent 0-day in the WordPress File Manager plugin. This plugin is installed on over 700,000 WordPress websites, and we estimate that 37.4% or 261,800 websites are still running vulnerable versions of this plugin at the time of this publication.
Attacks are Exploiting File Upload Vulnerability
Attacks against this vulnerability have risen dramatically over the last few days. Wordfence has recorded attacks against over 1 million sites today, September 4, 2020, as of 9 AM Pacific Time. Sites not using this plugin are still being probed by bots looking to identify and exploit vulnerable versions of the File Manager plugin, and we have recorded attacks against 1.7 million sites since the vulnerability was first exploited. Although Wordfence protects well over 3 million WordPress sites, this is still only a portion of the WordPress ecosystem. As such, the true scale of these attacks is larger than what we were able to record.
A few new indicators of compromise have emerged, and one of the filenames we’re seeing most frequently is Feoidasf4e0_index.php
The following IP addresses have each attacked over 100,000 sites since September 3, 2020:
If you find that your site’s functionality requires consistent usage of the File Manager plugin, ensure it is updated to version 6.9, which patched this vulnerability.
Uninstall File Manager
If you are not actively using the plugin, uninstall it completely. Due to the breadth of file management functionality this plugin provides a user within the wp-admin dashboard, we recommend uninstalling the plugin when it is not actively being used.
Optimize your Wordfence firewall
To protect your site against vulnerabilities like these that run without loading WordPress, the firewall also needs to be able to run before WordPress is loaded.
Optimizing the Wordfence firewall ensures that it can protect you even against vulnerabilities and exploits that don’t require WordPress to run. There are numerous benefits to doing so, and it does require a few steps that our plugin will guide you through. This video walks through the process of firewall optimization. If you have been using Wordfence without the firewall optimized for some time, learning mode is unnecessary.
As a general rule, we recommend that you always have your firewall optimized. When zero day vulnerabilities like this are attacked, having an optimized firewall gives you a much better chance of preventing successful exploitation.
Please share these recommendations with anyone you know who may be using the File Manager plugin.
Special thanks to Threat Analyst Chloe Chamberland and Director of Marketing Kathy Zant for their contributions in writing, researching, and editing this post.