Wordpress security

WordPress Plugin File Manager: Multiple Vulnerabilities


Updated: December 8, 2020

WordPress plugin File Manager by mndpsingh287 (wp-file-manager) is a plugin used to manage all files on your WordPress site. It allows users to edit, delete, upload, download, zip, copy and paste files and folders directly from the WordPress backend.

We have found that it contains multiple vulnerabilities on June 26th, 2019 in version 4.8 and below that contains the backup feature.

wordpress plugin file manager screenshot from wordpress.org
Screenshot from WordPress.org

The multiple vulnerabilities exist due to not checking the authentication of the user properly in the wp_ajax_* action calls. By default, the wp_ajax_* actions that do not start with wp_ajax_nopriv_* only require the user to be logged in, but the user does not have to be an administrator.

WordPress Plugin File Manager Vulnerability Details

Because the authentication of the user is not properly checked, the following vulnerabilities exist in the backup feature of the plugin:

  • Backups can be deleted (SQL injection also exists due to this issue)
  • Backup information can be seen and downloaded
  • Backups can be restored

If we can download a backup of the database or file system, we can potentially find sensitive information that can then result in further exploitation of the site.

wordpress plugin file manager screenshot from wordpress.org
Screenshot of WordPress Plugin File Manager from wordpress.org

If someone wants to cause a lot of damage, they could restore the very first backup that exists and then delete all backups.

The following registered wp_ajax_* hooks are vulnerable: mk_file_manager_backup_remove_callback, mk_file_manager_single_backup_remove_callback, mk_file_manager_single_backup_logs_callback and mk_file_manager_single_backup_restore_callback.

The mk_file_manager_backup_remove_callback AJAX action accepts the $_POST[‘delarr’] parameter which is an array of all backup identifiers that need to be removed. It will then iterate through the array and delete all backup files associated with the identifiers.

Since the $bkRid parameter which is taken from the $_POST[‘delarr’] array is used directly in the SQL query, SQL injection also exists.

wordpress plugin file manager security advisory webarx

The mk_file_manager_single_backup_remove_callback AJAX action accepts the $_POST[‘id’] parameter which is the identifier of the backup that needs to be removed.

wordpress plugin file manager backup - remove

The mk_file_manager_single_backup_logs_callback AJAX action accepts the $_POST[‘id’] parameter and will then display the backup data (filename, date, filesize) of the backup in question.

Since the backups are stored in the /wp-content/uploads/wp-file-manager-pro/fm_backup/ folder, the filename of the backup that is displayed on the screen will allow us to download the backup.

wordpress plugin file manager

Finally, the mk_file_manager_single_backup_restore_callback AJAX action accepts the $_POST[‘id’] parameter and will then restore the backup(s) associated with that id in the database.

wordpress plugin file manager backup webarx

Timeline

  • 26-06-2019 – Initial finding and reported to plugin developer.
  • 01-07-2019 – No response yet, another attempt to contact developer.
  • 02-07-2019 – Response, they are working on a fix.
  • 02-07-2019 – Updated version sent for review.
  • 03-07-2019 – Another updated version sent for review, approved. Claimed that new version will be out on 04-07-2019.
  • 08-07-2019 – Version 4.9 released.

Want to be protected from plugin vulnerabilities?
Use WebARX.

Protect my website
Google Blacklist

Conclusion

Always keep your plugins updated. If possible, enable automatic updates. If you are using the mentioned plugin, you need to update it with the latest version as soon as possible.

Websites with WebARX firewall installed are protected from this security issue. If you are not protecting your WordPress site against plugin vulnerabilities yet go and start for free here.

Wordpress security

suggested articles

Start your free 7-day trial now

Protect your websites from malicious traffic - set-up in under 3 minutes.

Try it now

WebARX is compatible with the following platforms:

PHP
WordPress
Magento
Drupal
Joomla