I’ve just discovered a number of random files on my Windows web server hosting a number of WordPress sites. The file and directory creation dates are all the same, but it’s only for the sites with WP 6.1. All of these sites are running the free WordFence and all scans detect them as malicious, but I’m just wondering how I can determine what the exploit is and how they got there…
​
https://preview.redd.it/y5fse29cv9fa1.png?width=876&format=png&auto=webp&v=enabled&s=0677ef7e8960b48a726562c7b98858f79712e963
Start off by checking your plugins against somewhere like https://patchstack.com/ (or even using their automated service).
Note that it’s not a certainty that this vulnerability exists on all sites – it could just be one and the vulnerability permitted directory traversal into other installations – this depends largely on how the server is configured.