Critical zero-day vulnerability fixed in WordPress File Manager (700,000+ installations).

The popular WordPress File Manager plugin (700,000+ installations) fixed a critical zero-day vulnerability affecting version 6.8 and below.
The vulnerability allows an unauthenticated user to run the file manager commands by directly accessing an unprotected file from its elFinder package:
Here’s a sample log we found today on one the several hacked websites we had to deal with: - - [31/Aug/2020:17:25:23 +0200] "POST //wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php HTTP/1.1" 200 1085 "-" "python-requests/2.24.0" "-" - - [31/Aug/2020:17:25:27 +0200] "POST //wp-content/plugins/wp-file-manager/lib/files/hardfork.php HTTP/1.1" 200 13665 "-" "python-requests/2.24.0" "-"