Security flaw in File Manager Plugin.

A critical vulnerability found in WordPress websites allowing security flaw in File Manager Plugin.

The security flaw in File Manager versions ranging from 6.0 to 6.8.  The critical vulnerability resulted in hundreds of thousands exploited websites

File Manager allows you to edit, delete, upload, download, zip, copy and paste files and folders directly from the WordPress backend. Don’t bother with FTP to manage and move your files from location to location. The most powerful, flexible, and easiest WordPress file management solution ever built!

In version 6.4, released on May 5, a file was renamed in the plugin for development and testing purposes. However, rather than being kept as a local change, the renamed file was accidentally added to the project. 

The file in question was pulled by third-party dependency elFinder and used as a code reference. An extension added to the file, the rename of connector-minimal.php-dist to connector-minimal.php, was a small tweak — but was enough to trigger a critical vulnerability in the popular plugin. 

ElFinder’s script, as a file manager, grants users elevated privileges for modifying, uploading, and deleting files. As the system is focused on ease of use, to set the elFinder file manager up, it takes nothing more than changing the file’s extension from .php-dist to .php — and so the avenue for attacks was opened. 

view full article.

Have you received email from your host notifying you that WordPress website has been compromised. Maybe you don’t have time to keep my theme, plugins, and WordPress Core updated – we can help.

Best security keys in 2020: Hardware-based two-factor authentication for online protection

While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.