UIT Service Advisory - Critical WordPress vulnerability being actively attacked, September 3, 2020

UIT Service Advisory


Attention all WordPress administrators: 


A critical vulnerability present in the WordPress plugin File Manager, which is in common use to manage WordPress sites, is being actively attacked globally. To protect against the attack, it is essential to update the plugin to the latest version 6.9 that contains the patch (released Sept 1 2020).  Alternately, disable or remove the plugin until it is updated.  WordPress sites that do not have the plugin enabled are not affected. 


Severity level 

CVSS Score: 10.00 (Critical) 



The vulnerability, which currently does not have a CVE assigned to it, is a remote code execution flaw with a CVSSv3 score of 10.0.  According to Wordfence researchers, the flaw exists due to the improper inclusion of an open-source file manager library called elFinder.  It appears that the file connector.minimal.php-dist was stored in an executable format (renamed to .php) and the file “could be accessed by anyone” in order to execute commands via a function in elFinderConnector.class.php. 


Affected Versions 

6.0 - 6.8 



This vulnerability allow unauthenticated users to execute commands and upload malicious files on a target site. 



Upgrade to version 6.9 immediately, remove or disable the plugin. 






Thank you for your continued support and cooperation.


Please direct any questions or concerns to UIT Client Services.


Email:  askit@yorku.ca
Self Serve Portal:  http://askit.yorku.ca

Thank you,
University Information Technology