Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Actively Exploited Zero-Day Found in Popular WordPress eCommerce Plugin

More than 17,000 websites are exposed to attacks targeting a critical zero-day vulnerability in the Fancy Product Designer WordPress plugin, the Wordfence team at WordPress security company Defiant warns.

More than 17,000 websites are exposed to attacks targeting a critical zero-day vulnerability in the Fancy Product Designer WordPress plugin, the Wordfence team at WordPress security company Defiant warns.

Fancy Product Designer is a premium plugin for online stores that provides users with the ability to customize products with images and PDF files uploaded from various devices. The plugin provides various other customization options as well.

This week, Wordfence discovered that threat actors are targeting an unpatched critical vulnerability in Fancy Product Designer. The issue, they explain, could be exploited in certain configurations even if the plugin has been deactivated.

Tracked as CVE-2021-24370 and featuring a CVSS score of 9.8, the security bug exists because the plugin has insufficient checks in place and because existing checks can easily be bypassed, thus allowing for the upload of malicious files.

An attacker targeting the vulnerability could upload executable PHP files to any website that has the plugin installed. Successful exploitation of the bug could provide the attacker with the ability to execute code remotely and completely take over a website.

Wordfence has refrained from providing further details on the vulnerability, but says it will release additional technical information once a patch has been released.

However, the security firm did share indicators of compromise (IOCs), which include the presence of a file with a unique ID and a PHP extension in the wp-admin or wp-content/plugins/fancy-product-designer/inc subfolders.

The bug, Wordfence says, has been under attack since at least May 16, with most assaults coming from three IP addresses only, suggesting a small scale operation.

The developer of Fancy Product Designer was informed about the vulnerability on May 31, the day the Wordfence team noticed the attacks.

Related: WordPress 5.7.1 Patches XXE Flaw in PHP 8

Related: Over 580 WordPress Vulnerabilities Disclosed in 2020: Report

Related: Hackers Start Exploiting Recent Vulnerabilities in Thrive Theme WordPress Plugins

Related: Vulnerability That Allows Complete WordPress Site Takeover Exploited in the Wild

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.