The File Manager plugin is a popular WordPress plugin with more than 700 000 active installations. This plugin allows users to edit, delete, copy, paste, zip, upload, download files and folders directly from the WordPress backend.
On September 1st, the WordPress plugin File Manager was updated, fixing a critical vulnerability allowing any website visitor to gain complete access to the website. But hackers have found a way to exploit version 6.8 and below of WordPress File Manager to inject malicious code onto websites without authorization, creating backdoors for future abuse.
If you are running File Manager < 6.9 update immediately
WordPress users that use the File Manager plugin should upgrade to the latest version as soon as possible. If your website was compromised you are advised to reinstall WordPress to clean-up possibly infected core files. You can reinstall WordPress from the “Dashboard > Updates” menu to clean-up the infected core files, and change all admin users and database passwords.
If you are not actively using the plugin, it’s best to uninstall it completely. You can always install it again if needed.