Bugs in WordPress Plugin Allow Remote Code Execution
Websites running WordPress and using the Frontend File Manager plugin are at risk of hacker attacks. The plugin in question, which is focused on uploading and managing files while using the WP platform, has a critical cross-site scripting bug that allows hackers to inject malicious JavaScript into the pages and create their own admin-level accounts.
The critical bug is found in versions 17.1 and 18.2 of the Frontend File Manager plugin and is one of six high-threat bugs in those two versions. The issue is, according to Threatpost's report on the issue, there are over two thousand websites that run the same two versions of the WP plugin.
The plugin's critical vulnerabilities were publicly announced on June 12 and patches have been made available for them already.
In addition to giving the ability to inject JavaScript code into the pages of the site running WP and the plugin, the bugs also allowed hackers to edit or simply delete pages and posts, escalate account privileges and execute cross-site scripting attacks, also referred to as XSS attacks. Those findings were made by security researchers working with the Ninja Technologies Network.
The report from Ninja Technologies gives a detailed breakdown of all faulty functions used in the plugin and explains how exactly those enable bad actors to inject malicious code into pages or elevate account privileges and effectively gain admin access and privileges.
The bugs also allow hackers to add PHP to the list of files allowed for uploading inside the Frontend File Manager plugin. This in turn allows them to upload malicious scripts that enable remote code execution.
Anyone using the Frontend File Manager plugin on their WP website will need to immediately update to the 18.3 version of the plugin to avoid any possible issues and secure their configuration.
WordPress plugins are notorious for having vulnerabilities and issues that may lead to serious problems for the site owners. The Frontend File Manager plugin isn't the first, and if the track history of other plugins is anything to go by, it probably won't be the last to have critical bugs. Website owners running custom WordPress plugins should always be on the lookout for updates for those plugins, to stay as safe as possible.