A critical vulnerability in the Bit File Manager plugin for WordPress, affecting over 20,000 active installations, allows threat actors to execute malicious code remotely.
Cybersecurity researcher Tang Cheuk Hei (siunam) discovered the flaw, and the plugin has since been patched in the latest update, version 6.5.6.
The flaw in Bit File Manager found in versions 6.0 to 6.5.5 stems from the plugin’s ‘checkSyntax
‘ function. Improper permission checks within the code allowed attackers to exploit the race condition and execute arbitrary PHP code on vulnerable servers, potentially leading to full site compromise.
Attackers could exploit this flaw without requiring authentication if an administrator enabled guest user permission — a scenario that amplifies the risk of exploitation.
The plugin’s faulty validation process allowed attackers to exploit a race condition. The core issue lies within the ‘validate()
‘ function in the FileEitValidator class, which checks the syntax of PHP code.
The vulnerability is triggered by a faulty variable type check in the ‘checkPermission()
‘ function. Due to improper handling of the variable ‘$error’, which is incorrectly initialised as an empty string and not reassigned later, the permissions check fails. This allows unauthorised users to bypass the necessary permission checks.
Once inside the system, the attacker could upload arbitrary PHP code to a temporary file in the publicly accessible WordPress uploads folder, bypassing security restrictions.
While the file was designed to be immediately deleted by the plugin, a race condition allowed attackers to repeatedly send requests to the temporary file, executing malicious code before deletion. This creates a window for attackers to gain control of the site.
Researchers have urged individuals and organisations to update the plugin to version 6.5.6.
WordPress plugins have frequently exhibited critical vulnerabilities that impact thousands, sometimes millions, of websites. Recently, a critical flaw in the WP Job Portal affected 6,000 websites.
In July, four WordPress plugins — WP Server Health, Ad Invalid Click Protector, PowerPress Podcasting plunging by Blubrry, and SEO Optmisied Images — were hit by supply chain attacks.
A few months earlier, in June, yet another critical flaw in the Login/Signup Popup affected 40,000 websites.
In April, a bug in the LayerSlider plugin affected over a million websites.
In the News: 32 Russian-linked domains influencing US elections seized