WordPress File Manager Plugin is a tool that makes it simple for webmasters to upload, edit, archive, and delete files and folders on their website’s backend.
This plugin is quite popular among WordPress developers and has been installed on over 700,000 websites.
One interesting thing about this exploit is that hackers are injecting code and password-protecting compromised sites using the same vulnerability to keep out rival attackers from exploiting the same flaw.
The developers of WordPress File Manager issued an update (version 6.9) on September 1st that resolves the security issue. Users are advised to update their websites as soon as possible. Knowing the WordPress community, it could be a while before most if not all of the installations are updated.
For websites that have the File Manager Plugin vulnerability and have already been compromised, it is advisable to reinstall WordPress to clean-up possibly infected core files. One should also change the passwords to databases and all users with administrator privileges. Also, WordPress file system permissions should be reviewed.