Problematic

  • Although the plugin proves useful for cases where you do not want or cannot manage files via CPanel or FTP, a quiet “Security issue fixed” update isn’t adequate security advisory after having a vulnerability with CVE severity of 9.8|10.0.

    Less tech-savvy users will not even notice that multiple backdoors were planted around their websites as result of this plugin’s vulnerability.

    Given that even the easiest-found of the scripts that I removed from my own site can still be found on well over a thousand websites (search "Hacked by MiSh" via Google), I would say that the number of websites that are still compromised is somewhere in tens of thousands, if not more – with Sucuri report noting that number of attacks per hour peaked at >10K, it could very well be that most of the public-facing websites using the plugin had been compromised during the opportunity window.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support File Manager Support

    (@filemanagersupport)

    Hi @yellowafterlife
    We take security very seriously and apologize to our community for any inconvenience or issues that have been caused. We urge users to update to the latest version, immediately since it contains a patch for this vulnerability and will keep you protected.

    Please update the File Manager plugin if you are using File Manager Free, Here is some documentation to assist you with the process: https://filemanagerpro.io/article/how-to-download-latest-version-of-file-manager-pro

    Send us a support ticket by using this link https://filemanagerpro.io/contact. We would like to assist you with any issue you are experiencing.

    Thread Starter yellowafterlife

    (@yellowafterlife)

    Updating to the latest version won’t suffice – should the user notice that their website had been compromised, additional backdoors were most definitely installed.

    For example, despite having had auto-updates enabled, I have cleared a total of >10 backdoors at the time I noticed that something isn’t right, which was because one of malicious scripts was redirecting a fraction users to download malware.

    Rest assured, this accident will have a long shadow as I learn of more and more people that have been recommending others against visiting my website on assumption that I was the one to plant malicious redirects.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Problematic’ is closed to new replies.

Tags