WordPress plugin File Manager by mndpsingh287 (wp-file-manager) is a plugin used to manage all files on your WordPress site. It allows users to edit, delete, upload, download, zip, copy and paste files and folders directly from the WordPress backend.
We have found that it contains multiple vulnerabilities on June 26th, 2019 in version 4.8 and below that contains the backup feature.
Screenshot from WordPress.org
The multiple vulnerabilities exist due to not checking the authentication of the user properly in the wp_ajax_* action calls. By default, the wp_ajax_* actions that do not start with wp_ajax_nopriv_* only require the user to be logged in, but the user does not have to be an administrator.
WordPress Plugin File Manager Vulnerability Details
Because the authentication of the user is not properly checked, the following vulnerabilities exist in the backup feature of the plugin:
- Backups can be deleted
- SQL injection also exists due to this issue
- Backup information can be seen and downloaded
- Backups can be restored
If we can download a backup of the database or file system, we can potentially find sensitive information that can then result in further exploitation of the site.
Screenshot of WordPress Plugin File Manager from wordpress.org
If someone wants to cause a lot of damage, they could restore the very first backup that exists and then delete all backups.
The following registered wp_ajax_* hooks are vulnerable: mk_file_manager_backup_remove_callback, mk_file_manager_single_backup_remove_callback, mk_file_manager_single_backup_logs_callback and mk_file_manager_single_backup_restore_callback.
The mk_file_manager_backup_remove_callback AJAX action accepts the $_POST[‘delarr’] parameter which is an array of all backup identifiers that need to be removed. It will then iterate through the array and delete all backup files associated with the identifiers.
Since the $bkRid parameter which is taken from the $_POST[‘delarr’] array is used directly in the SQL query, SQL injection also exists.
The mk_file_manager_single_backup_remove_callback AJAX action accepts the $_POST[‘id’] parameter which is the identifier of the backup that needs to be removed.
The mk_file_manager_single_backup_logs_callback AJAX action accepts the $_POST[‘id’] parameter and will then display the backup data (filename, date, filesize) of the backup in question.
Since the backups are stored in the /wp-content/uploads/wp-file-manager-pro/fm_backup/ folder, the filename of the backup that is displayed on the screen will allow us to download the backup.
Finally, the mk_file_manager_single_backup_restore_callback AJAX action accepts the $_POST[‘id’] parameter and will then restore the backup(s) associated with that id in the database.
- 26-06-2019 – Initial finding and reported to plugin developer.
- 01-07-2019 – No response yet, another attempt to contact developer.
- 02-07-2019 – Response, they are working on a fix.
- 02-07-2019 – Updated version sent for review.
- 03-07-2019 – Another updated version sent for review, approved. Claimed that new version will be out on 04-07-2019.
- 08-07-2019 – Version 4.9 released.
Always keep your plugins updated. If possible, enable automatic updates. If you are using the mentioned plugin, you need to update it with the latest version as soon as possible.
Websites with WebARX firewall installed are protected from this security issue. If you are not protecting your WordPress site against plugin vulnerabilities yet go and start for free here.