July 10, 2019
WordPress plugin File Manager by mndpsingh287 (wp-file-manager) is a plugin used to manage all files on your WordPress site. It allows users to edit, delete, upload, download, zip, copy and paste files and folders directly from the WordPress backend.
We have found that it contains multiple vulnerabilities on June 26th, 2019 in version 4.8 and below that contains the backup feature.
The multiple vulnerabilities exist due to not checking the authentication of the user properly in the wp_ajax_* action calls. By default, the wp_ajax_* actions that do not start with wp_ajax_nopriv_* only require the user to be logged in, but the user does not have to be an administrator.
Because the authentication of the user is not properly checked, the following vulnerabilities exist in the backup feature of the plugin:
If we can download a backup of the database or file system, we can potentially find sensitive information that can then result in further exploitation of the site.
If someone wants to cause a lot of damage, they could restore the very first backup that exists and then delete all backups.
The following registered wp_ajax_* hooks are vulnerable: mk_file_manager_backup_remove_callback, mk_file_manager_single_backup_remove_callback, mk_file_manager_single_backup_logs_callback and mk_file_manager_single_backup_restore_callback.
The mk_file_manager_backup_remove_callback AJAX action accepts the $_POST[‘delarr’] parameter which is an array of all backup identifiers that need to be removed. It will then iterate through the array and delete all backup files associated with the identifiers.
Since the $bkRid parameter which is taken from the $_POST[‘delarr’] array is used directly in the SQL query, SQL injection also exists.
The mk_file_manager_single_backup_remove_callback AJAX action accepts the $_POST[‘id’] parameter which is the identifier of the backup that needs to be removed.
The mk_file_manager_single_backup_logs_callback AJAX action accepts the $_POST[‘id’] parameter and will then display the backup data (filename, date, filesize) of the backup in question.
Since the backups are stored in the /wp-content/uploads/wp-file-manager-pro/fm_backup/ folder, the filename of the backup that is displayed on the screen will allow us to download the backup.
Finally, the mk_file_manager_single_backup_restore_callback AJAX action accepts the $_POST[‘id’] parameter and will then restore the backup(s) associated with that id in the database.
Always keep your plugins updated. If possible, enable automatic updates. If you are using the mentioned plugin, you need to update it with the latest version as soon as possible.