Yesterday a zero-day vulnerability was discovered in a popular WordPress plugin File Manager. The vulnerability allows arbitrary file upload and remote code execution.
File Manager plugin is a useful plugin that allows users to browse site files in an easy way. The plugin has over 700000 active installations that make it a desired target for attackers.
Yesterday the vulnerability was discovered by Seravo as part of their WordPress upkeep service. They noticed unusual activity on several of their customers websites and further investigation revealed the severe vulnerability in the File Manager plugin.
The way these vulnerability works is because of the execution of connector.minimal.php file. This file loads another file libphpelFinderConnector.class.php that can read postget variables that can execute File Manager features like file uploading.
Since the PHP scripts are allowed to be executed an attacker can upload unauthenticated arbitrary PHP files and execute them.