Monday, May 20, 2024
HomeSEOWordPress File Supervisor Plugin Vulnerability Impacts +1 Million Web sites

WordPress File Supervisor Plugin Vulnerability Impacts +1 Million Web sites


A big safety vulnerability has been recognized and patched within the broadly used File Supervisor plugin for WordPress, affecting over 1 million web sites. The vulnerability is rated 8.1 out of 10 in severity and will probably enable unauthenticated attackers to realize entry to delicate info together with information contained in website backups.

Unauthenticated Assault Vulnerabilities

What makes this vulnerability a excessive concern is the truth that a hacker doesn’t want login credentials as a way to launch an assault, which is what is supposed by the time period unauthenticated.

Within the context of a WordPress plugin vulnerability, an attacker can acquire entry to delicate info with no need to log in or authenticate their id. This sort of assault exploits a safety hole the File Supervisor plugin known as Use of Insufficiently Random Values.

The Widespread Weak point Enumeration safety web site describes this sort of vulnerability:

“The product makes use of insufficiently random numbers or values in a safety context that relies on unpredictable numbers.

When product generates predictable values in a context requiring unpredictability, it could be attainable for an attacker to guess the subsequent worth that will probably be generated, and use this guess to impersonate one other person or entry delicate info.”

This class of vulnerability is because of a weak spot within the File Supervisor plugin’s backup filename era algorithm. The algorithm combines a timestamp with a four-digit random quantity however that quantity of randomization just isn’t random sufficient to maintain an attacker from efficiently guessing the file names and as a consequence allows attackers to realize entry to backup recordsdata in configurations the place there isn’t a .htaccess file to dam entry.

Use of Insufficiently Random Values Vulnerability

The Use of Insufficiently Random Values vulnerability kind is a flaw within the plugin that depends on producing random and unpredictable file numbers as a way to stop attackers from guessing what a backup file identify is. The plugins lack of randomization permits an attacker to determine the file names and acquire entry to delicate info.

Susceptible Variations Of The Plugin

The safety vulnerability is present in all variations as much as and together with 7.2.1 and was patched within the newest replace of the plugin, with the discharge of model 7.2.2.

The replace, as famous within the File Supervisor WordPress Plugin Changelog Documentation, features a repair for the safety subject. Customers of the plugin are strongly suggested to contemplate updating to this newest model to guard their web sites from potential exploits.

Learn the Wordfence advisory for extra info:

File Supervisor <= 7.2.1 – Delicate Info Publicity by way of Backup Filenames

Featured Picture by Shutterstock/Perfect_kebab

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments