SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Actively Exploited Zero-Day Found in Popular WordPress eCommerce Plugin

More than 17,000 websites are exposed to attacks targeting a critical zero-day vulnerability in the Fancy Product Designer WordPress plugin, the Wordfence team at WordPress security company Defiant warns.

More than 17,000 websites are exposed to attacks targeting a critical zero-day vulnerability in the Fancy Product Designer WordPress plugin, the Wordfence team at WordPress security company Defiant warns.

Fancy Product Designer is a premium plugin for online stores that provides users with the ability to customize products with images and PDF files uploaded from various devices. The plugin provides various other customization options as well.

This week, Wordfence discovered that threat actors are targeting an unpatched critical vulnerability in Fancy Product Designer. The issue, they explain, could be exploited in certain configurations even if the plugin has been deactivated.

Tracked as CVE-2021-24370 and featuring a CVSS score of 9.8, the security bug exists because the plugin has insufficient checks in place and because existing checks can easily be bypassed, thus allowing for the upload of malicious files.

An attacker targeting the vulnerability could upload executable PHP files to any website that has the plugin installed. Successful exploitation of the bug could provide the attacker with the ability to execute code remotely and completely take over a website.

Wordfence has refrained from providing further details on the vulnerability, but says it will release additional technical information once a patch has been released.

However, the security firm did share indicators of compromise (IOCs), which include the presence of a file with a unique ID and a PHP extension in the wp-admin or wp-content/plugins/fancy-product-designer/inc subfolders.

The bug, Wordfence says, has been under attack since at least May 16, with most assaults coming from three IP addresses only, suggesting a small scale operation.

Advertisement. Scroll to continue reading.

The developer of Fancy Product Designer was informed about the vulnerability on May 31, the day the Wordfence team noticed the attacks.

Related: WordPress 5.7.1 Patches XXE Flaw in PHP 8

Related: Over 580 WordPress Vulnerabilities Disclosed in 2020: Report

Related: Hackers Start Exploiting Recent Vulnerabilities in Thrive Theme WordPress Plugins

Related: Vulnerability That Allows Complete WordPress Site Takeover Exploited in the Wild

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

More from

Latest News

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Virtual Event: Threat Detection and Incident Response Summit
May 21, 2025

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Webinar: Which Security Testing Approach is Right for You?
March 25, 2025

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Shane Barney has been appointed CISO of password management and PAM solutions provider Keeper Security.

Edge Delta has appointed Joan Pepin as its Chief Information Security Officer.

Vats Srivatsan has been appointed interim CEO of WatchGuard after Prakash Panjwani stepped down.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.