Millions of WordPress sites were attacked last week. At issue was the exploitation by hackers of a zero-day flaw in a file manager plugin.

Millions of WordPress sites were attacked last week, reveals cyber defense company Defiant, the originator of the Wordfence web firewall. This sudden upsurge in attacks came after hackers discovered and began exploiting a zero-day vulnerability in "File Manager," a popular WordPress plugin installed on more than 700,000 sites.

This "zero-day" consists of an unauthenticated file download vulnerability that allows an attacker to download malicious files to a site using an older version of the "File Manager" plugin. It is still difficult to know how the attackers discovered this vulnerability, but they wasted no time in exploiting it on all WordPress sites where the plugin was installed.

When they discovered a site using this plugin, they exploited the flaw and uploaded a web shell script, disguised as an image file, to the victim's server. This would allow them to take over the victim's site, by trapping it in a botnet.

The good news is that the File Manager development team created and released a "zero-day" patch the same day they learned of the attacks. Some site owners have installed the patch, but others are still lagging behind.

It's this slow update that recently prompted the WordPress development team to add an auto-update feature for WordPress themes and plugins. Since WordPress 5.5, released last month, site owners can configure plugins and themes to automatically update themselves with each new update, ensuring that their sites are always using the latest version of a theme or plugin and are safe from attack.

Source : ZDnet.fr