More than 17,000 websites are exposed to attacks targeting a critical zero-day vulnerability in the Fancy Product Designer WordPress plugin, the Wordfence team at WordPress security company Defiant warns.
Fancy Product Designer is a premium plugin for online stores that provides users with the ability to customize products with images and PDF files uploaded from various devices. The plugin provides various other customization options as well.
This week, Wordfence discovered that threat actors are targeting an unpatched critical vulnerability in Fancy Product Designer. The issue, they explain, could be exploited in certain configurations even if the plugin has been deactivated.
Tracked as CVE-2021-24370 and featuring a CVSS score of 9.8, the security bug exists because the plugin has insufficient checks in place and because existing checks can easily be bypassed, thus allowing for the upload of malicious files.
An attacker targeting the vulnerability could upload executable PHP files to any website that has the plugin installed. Successful exploitation of the bug could provide the attacker with the ability to execute code remotely and completely take over a website.
Wordfence has refrained from providing further details on the vulnerability, but says it will release additional technical information once a patch has been released.
However, the security firm did share indicators of compromise (IOCs), which include the presence of a file with a unique ID and a PHP extension in the wp-admin or wp-content/plugins/fancy-product-designer/inc subfolders.
The bug, Wordfence says, has been under attack since at least May 16, with most assaults coming from three IP addresses only, suggesting a small scale operation.
The developer of Fancy Product Designer was informed about the vulnerability on May 31, the day the Wordfence team noticed the attacks.
Related: WordPress 5.7.1 Patches XXE Flaw in PHP 8
Related: Over 580 WordPress Vulnerabilities Disclosed in 2020: Report
Related: Hackers Start Exploiting Recent Vulnerabilities in Thrive Theme WordPress Plugins
Related: Vulnerability That Allows Complete WordPress Site Takeover Exploited in the Wild

More from Ionut Arghire
- OpenAI Patches Account Takeover Vulnerabilities in ChatGPT
- New Wi-Fi Attack Allows Traffic Interception, Security Bypass
- Casino Giant Crown Resorts Investigating Ransomware Group’s Data Theft Claims
- Over 200 Organizations Targeted in Chinese Cyberespionage Campaign
- Nigerian BEC Scammer Sentenced to Prison in US
- China’s Nuclear Energy Sector Targeted in Cyberespionage Campaign
- 14 Million Records Stolen in Data Breach at Latitude Financial Services
- iOS Security Update Patches Exploited Vulnerability in Older iPhones
Latest News
- Musk, Scientists Call for Halt to AI Race Sparked by ChatGPT
- Malware Hunters Spot Supply Chain Attack Hitting 3CX Desktop App
- LeapXpert Banks $22M Funding to Secure Corporate Messaging With Consumer Apps
- Blockchain Security Firm True I/O Raises $9 Million
- Spera Banks $10 Million to Tackle Identity and Access Sprawl
- OpenAI Patches Account Takeover Vulnerabilities in ChatGPT
- OpenSSL 1.1.1 Nears End of Life: Security Updates Only Until September 2023
- New Wi-Fi Attack Allows Traffic Interception, Security Bypass
