covering the week's top tech stories
with a slight linux bias attackers are
exploiting a critical vulnerability in a
popular wordpress plugin
that enables an adversary to run
arbitrary commands
and upload files to a target wordpress
site
the flaw is in the file manager plugin
which has more than 700 000
active users and is designed to help
administrators manage files on their
wordpress sites
the plugin includes a third-party
library called lfinder
and the vulnerability results from the
way that file manager renamed an
extension
in lfinder the vulnerability was
introduced in version 6.4 of file
manager which was released in may but it
wasn't until late august
that researchers first saw exploit
attempts against the bug
an exploit for the vulnerability was
posted on github in the
in the last week of august and on
september 1st
the maintainers of the file manager
released an updated version that fixed
the bug
although the fixed version has been
available for nearly two weeks
researchers say not many of the
wordpress sites running the plugin have
updated
which means they are still vulnerable
ramgao
of word fence said on friday sites not
using this plugin are still being probed
by bots looking to identify
and exploit vulnerable versions of the
file manager plug-in
and we have recorded attacks against 1.7
million sites since the vulnerability
was first exploited
although word fence protects well over 3
million wordpress sites
this is still only a portion of the
wordpress ecosystem
as such the true scale of these attacks
is larger than what we were able to
record
the severity of the vulnerability makes
it urgent to update especially when
automated scans for the bug
ongoing especially with automated scans
for the bug
ongoing identifying vulnerable sites is
a trivial task and with an exploit
publicly available
time is of the essence particularly
given the fact that an attacker would be
able to upload arbitrary files to the
site after a successful exploit
[Music]
you