Critical zero-day vulnerability fixed in WordPress File Manager (700,000+ installations).

The popular WordPress File Manager plugin (700,000+ installations) fixed a critical zero-day vulnerability affecting version 6.8 and below.
The vulnerability allows an unauthenticated user to run the file manager commands by directly accessing an unprotected file from its elFinder package:
Here’s a sample log we found today on one the several hacked websites we had to deal with:

185.222.57.0 - - [31/Aug/2020:17:25:23 +0200] "POST //wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php HTTP/1.1" 200 1085 www.xxxxxxxxx.com "-" "python-requests/2.24.0" "-" 

185.222.57.0 - - [31/Aug/2020:17:25:27 +0200] "POST //wp-content/plugins/wp-file-manager/lib/files/hardfork.php HTTP/1.1" 200 13665 www.xxxxxxxxx.com "-" "python-requests/2.24.0" "-"

REAM MORE