Zero-day flaw in WordPress File Manager

A zero-day flaw has been found in WordPress File Manager. It was introduced on 5th May and occurs in versions 6.0 through 6.8 of the WordPress File Manager.

The WordPress File Manager is an alternative to using FTP for managing file transfers, and a mistake in renaming a file during development has left around half of the 700,000 sites that use the plugin vulnerable.

Exploits started to be seen on 31st August and by the next day had risen to around 10,000 attacks per hour. The solution is to upgrade to v6.9.

For more information, take a look in Security Now! show notes.