Threat actors have actively exploited a zero-day vulnerability in the Fancy Product Designer plugin for WordPress sites to upload malware.
Fancy Product Designer is a visual product configurator for WordPress, WooCommerce, and Shopify that allows users to personalize products with their own images and information.
More than 17,000 websites have purchased and installed the plugin.
Zero-day vulnerabilities are publicly publicized vulnerabilities that vendors have yet to patch, and are sometimes actively exploited in the wild or have publicly available proof-of-concept attacks.
Wordfence security analyst Charles Sweethill found the security flaw, which is a critical severity remote code execution (RCE) vulnerability.
The WordPress version of the plugin is also susceptible, as it is used in WooCommerce installations.
Because Shopify has tougher access controls for sites hosted and operating on its platform, the attacks in the plugin would most likely be stopped.
It is possible to overcome built-in checks blocking harmful file uploading by successfully exploiting the Fancy Product Designer bug to deploy executable PHP scripts on sites where the plugin is installed by successfully leveraging the Fancy Product Designer issue.
Following remote code execution attacks, this allows threat actors to entirely take control of susceptible sites.
Because this vulnerability is being actively exploited, according to threat analyst Ram Gall, they are exposing it publicly with minimal details, even though it has not yet been patched, in order to notify the community to take care to keep their sites safe.
The assaults targeting thousands of sites using the Fancy Product Designer plugin began more than two weeks ago, on May 16, 2021, despite the fact that the vulnerability has only been exploited on a small scale.
Users who are using this plugin should uninstall it until a fixed version is released.
Update: Fancy Product Designer’s developers have published an update (version 4.6.9) to address the previously noted file upload vulnerability.
The updated indicators of compromise (IoC) linked with the attack, which can be seen here, have also been released by Wordence.
You might also like: Watch out for the latest Paytm fraud
You might also like: Beware: Unsubscribing from these email could result in further spam