Millions of WordPress sites are being probed by recent plugin bug

Millions of WordPress sites have been probed and attacked this week, Defiant, the company behind the Wordfence web firewall said on Friday.

After hackers discovered and started exploiting a zero-day vulnerability in “File Manager,” a popular WordPress plugin installed on over 700,000 sites, the sudden spike in attacks happened.

The zero-day was an unauthenticated file upload vulnerability[1, 2] that allowed an attacker to upload malicious files on a site running an older version of the File Manager plugin.

It’s unknown how hackers found the zero-day, but since this week, they began probing for sites where this plugin might be installed.

If a probe was successful, the attackers would exploit the zero-day and upload a web shell disguised inside an image file on the victim’s server. The attackers would then access the web shell and take over the victim’s site, ensnaring it inside a botnet.

Millions of sites have been probed, attacked

“Attacks against this vulnerability have risen dramatically over the last few days,” said Ram Gall, Threat Analyst at Defiant.

The attacks began slowly, but escalated throughout the week, with Defiant recording attacks only on Friday, September 4, against 1 million WordPress pages.

In total, Gall says Defiant has been blocking attacks on more than 1.7 million pages since September 1, when the attacks first came to light.

The figure of 1.7 million is more than half the number of WordPress sites which use the Wordfence web firewall. Gall claims that the true size of the attacks is much bigger as WordPress is installed on hundreds of millions of pages, many of which are likely to get probed and hacked gradually.

The good news is that the File Manager developer team created and released a patch for the zero-day on the same day it learned about the attacks. Some site owners have installed the patch, but, as usual, others are lagging behind.

The article was originally published in ZDNet.