Several vulnerabilities have been discovered in the Frontend File manager plugin in WordPress, which allows a remote attacker to inject malicious JavaScript into vulnerable websites. This is a class of vulnerability known as cross-site scripting (XSS). In this scenario, the XSS allows an attacker to:
- Delete blog pages
- Create admin user accounts
- Gain remote code execution
The cross-site scripting vulnerability is only one of six critical vulnerabilities affecting the plugin. The vulnerable versions affected (Front File Manager versions 17.1 and 18.2) are active on over 2000 WordPress instances. However, the most concerning aspect of the XSS is it allows for unauthenticated remote code execution, allowing an attacker to gain complete control of a website.
The impact:
The vulnerabilities combined allow for successful attackers to perform a variety of malicious actions. Below is the list of potential impacts:
- Create a new admin account, essentially nullifying the need to compromise other accounts
- Escalate privileges from lower privileged accounts to any other user
- Upload arbitrary malicious files and change WordPress site settings
- Delete posts unauthenticated
- Change metadata and download sensitive files unauthenticated
- Abuse an HTML injection to use a blog as a base for a spam relay
The remediation:
To mitigate this vulnerability, users should upgrade to version 18.3 or above. Site administrators should confirm that no rogue administrator user accounts exist post upgrade to ensure that only trusted administrator accounts exist.
In addition, it would be prudent to backup WordPress instances regularly to prevent attackers from erasing WordPress contents permanently.
Source: Threat Post