A popular WordPress plugin is under active exploitation. ‘Fancy Product Designer’ contains a simple yet critical vulnerability that can grant a potential attacker complete control of the website.
The Fancy Product Designer plugin for WordPress has a critical file upload vulnerability that as-yet-unknown threat actors are actively exploiting. The security flaw has one of the highest vulnerability ratings.
Security researchers issue warning about a critical new zero-day vulnerability in a WordPress plugin:
Security researchers have discovered that Fancy Product Designer, a popular WordPress plugin, is vulnerable to exploitation. The plugin is currently active on 17,000 websites that rely on WordPress.
Fancy Product Designer plugin enables businesses to offer customizable products. This is essentially a consumer-facing customization tool that allows customers to design any kind of item. It could T-shirts or phone cases. Customers can upload images and PDF files, which sellers can then add to the products.
problematic file /fancy-product-designer/inc/custom-image-handler.php https://t.co/Q62rdViYJd
— Rempah (@RempahRz) June 2, 2021
The threat intelligence team working at Wordfence first discovered the security flaw and quickly alerted the creators of the plugin. Incidentally, the plugin creators even responded within 24 hours, confirmed threat analyst Ram Gall.
A critical zero-day vulnerability in a popular WordPress plugin is ‘under active attack’, according to researchers. The 17,000 sites running Fancy Product Designer have been urged to deactivate the plugin until a patch becomes available https://t.co/meX9dKXrDv
— The Daily Swig (@DailySwig) June 2, 2021
“We initiated contact with the plugin’s developer the same day and received a response within 24 hours. We sent over the full disclosure the same day we received a response, on June 01, 2021”.
“Due to this vulnerability being actively attacked, we are publicly disclosing with minimal details even though it has not yet been patched in order to alert the community to take precautions to keep their sites protected”.
Uninstalling the Fancy Product Designer plugin for WordPress is the only protection from the actively exploited security vulnerability:
What the above statement means is that there is no active defense or patch that secures the plugin for WordPress. The only way to shield a website from possible exploitation is to completely uninstall the plugin.
“As this is a critical zero-day under active attack and is exploitable in some configurations even if the plugin has been deactivated, we urge anyone using this plugin to completely uninstall Fancy Product Designer, if possible, until a patched version is available”.
Zeroday: WordPress plugin Fancy Product Designer https://t.co/eYZSpOJG1k#Malware #cybersecurity #hacker #infosec #cyberattack #ethicalhacking #ransomware #cybercrime #hackers #security #pentesting #linux #phishing #technology #IoT pic.twitter.com/vky3c2IXyM
— Hackers Review (@HackersReview_) June 2, 2021
In simple words, merely disabling the plugin does not work. The file upload vulnerability has a Common Vulnerability Scoring System (CVSS) score of 9.8, tagged as ‘Critical’.
Gall has warned that an attacker could upload executable PHP files to any site with the plugin installed. “This effectively makes it possible for an attacker to achieve Remote Code Execution on an impacted site, allowing full site takeover”.
Fancy Product Designer's developer patched the zero-day bug in version 4.6.9 released earlier today.
Customers should update immediately given that the zero-day is still under active exploitation (since January).https://t.co/9LBxNzvfPz
— BleepingComputer (@BleepinComputer) June 2, 2021
Incidentally, the Fancy Product Designer plugin has some checks to block malicious file uploads. However, a determined attacker can easily bypass the checks.
[Update] The creators of the plugin have issued an update. Needless to mention, users must immediately update the same.