13 July 21, 12:54
Quote:A critical cross-site scripting (XSS) bug impacts WordPress sites running the Frontend File Manager plugin and allows remote unauthenticated users to inject JavaScript code into vulnerable websites to create admin user accounts.
The bug is one of six critical flaws impacting the WordPress plugin Front File Manager versions 17.1 and 18.2, active on more than 2,000 websites. Each of the flaws, publicly disclosed Monday, have available patches.
The bugs open sites running the plugin to a broad range of remote code execution attacks giving adversaries the ability to change or delete posts, set up a spam relay, achieve privilege escalation, carry out stored cross-site scripting (XSS) attacks, according to researchers from the Ninja Technologies Network.
The WordPress plugin is designed to allow users to upload files to a website admin. Each file is saved in a private directory, so each user can manage their own files after login.
Read more: WordPress File Management Plugin Riddled with Critical Bugs | Threatpost