The developers of the WordPress File Manager plugin have patched an actively-exploited security issue permitting full website hijacking.
According to the Sucuri WordPress security team, the vulnerability emerged in version 6.4 of the software, which is used as an alternative to FTP in managing file transfers, copying, deletion, and uploads.
File Manager accounts for over 700,000 active installations.
In version 6.4, released on May 5, a file was renamed in the plugin for development and testing purposes. However, rather than being kept as a local change, the renamed file was accidentally added to the project.
The file in question was pulled by third-party dependency elFinder and used as a code reference. An extension added to the file, the rename of…