Beer, Plugins, and Backdoors

Sometimes, websites seem harmless. A beer blog, a visual gallery, a friendly portal. But if you pause for a second… and look behind the facade… you’ll see an opportunity.

Today we’ll learn how poorly managed plugins can become serious attack vectors.

What is a WordPress plugin?

WordPress allows you to extend its functionality through small modules called plugins. These let you:

• Display image sliders.
• Add contact forms.
• Connect social networks.
• Insert dynamic content.

The problem is that many of these plugins are created by third parties and if not updated regularly, they may contain publicly known vulnerabilities.

File Manager 6.0: The Plugin That Opened 700,000 Doors

File Manager was a legitimate WordPress plugin designed to provide a web interface for server file management. With over 700,000 active installations, it became an essential tool for many admins who preferred to manage files directly from the WordPress dashboard.

The Critical Flaw

In September 2020, security researchers discovered a critical vulnerability in File Manager version 6.0 and earlier. The issue was in a specific plugin file that:

• Completely lacked authentication
• Exposed administrative functions without verification
• Allowed unrestricted file operations
• Was directly accessible via URL

This vulnerability was assigned CVE-2020-25213 and a CVSS score of 10.0, the highest possible. The response was immediate but complex:

• Metasploit quickly developed an exploit module
• WordPress forced automatic updates (unusual)
• Hosting providers began mass scanning and patching
• The security community published multiple analyses and detection tools

TimThumb: When Functionality Becomes Vulnerability

TimThumb was a PHP library widely adopted by the WordPress community for dynamic image resizing. Its popularity was due to its simplicity: developers could easily integrate it into their themes to generate thumbnails automatically without pre-processing images.

The timthumb.php script worked by receiving parameters via GET, where you specified the image source and desired dimensions. This seemingly innocent functionality hid a serious security issue in its early versions.

The Vulnerability

The critical flaw was the lack of proper input validation. TimThumb accepted remote URLs as image sources and downloaded them to the server for processing. However, it did not properly check:

• The actual type of the downloaded file
• The extension of the remote file
• The file content before storing it

This combination allowed an attacker to make the server download and store malicious PHP files, which could then be executed directly through the browser.

Impact on the Community

The TimThumb vulnerability was devastating because:

• Mass adoption: Thousands of popular themes included it
• Hard to detect: Admins didn’t always know their themes used it
• Easy to exploit: No sophisticated tools required
• Persistence: Once exploited, the attacker could maintain access

The Attack: Thinking Like a Web Attacker

Think of it this way:

1. A site has a plugin.
2. The plugin has a vulnerability that allows file uploads.
3. The uploaded file contains a shell.
4. When the file is accessed… boom �� …direct connection.

The idea is to plant a reverse shell that connects from the victim to the attacker, and once inside… explore.

Tools of the Trade: Metasploit

Metasploit is one of the most powerful frameworks for exploiting known vulnerabilities.

It allows you to:

• Search for existing exploits.
• Configure targets and parameters.
• Execute attacks with surgical precision.

This exercise is a classic example of using Metasploit in its most direct form.

Hints Without Spoilers

• Make sure you know the plugin version. Vulnerabilities live in the details.
• Don’t underestimate the power of a simple search.
• There are modules that do the heavy lifting for you.
• The secret is in configuring the variables well: target address, entry point, and your own attacker data.

Metasploit isn’t magic. It’s precision, and if you know how to speak to it, it opens doors.

Mindset

The site seems to be celebrating. But maybe it celebrates too much. The attack isn’t in what’s visible. It’s in what’s unprotected, in what’s already patched… but not here.

Plugins are doors. Your job is to find the ones left open.

Remember

• WordPress isn’t secure by itself.
• Plugins are only as strong as their latest update.
• A reverse shell is like a callback: “I’m in, what’s next?”
• Tools like Metasploit exist, but you decide how and when to use them.

Where many see an old site with banners and sliders… you should see vectors, versions, and backdoors. Because in offensive cybersecurity, the enemy is negligence and your advantage is observation.

Cheers!