A critical new zero-day security vulnerability in a WordPress plugin is being actively exploited in the wild, according to security researchers.
According to Wordfence experts, the Fancy Product Designer plugin is installed on over 17,000 websites and allows users to upload images and PDF files to products.
Commenting on the development, Ram Gall, a Threat Analyst, said “We initiated contact with the plugin’s developer the same day and received a response within 24 hours. We sent over the full disclosure the same day we received a response, on June 01 2021,”
“Due to this vulnerability being actively attacked, we are publicly disclosing with minimal details even though it has not yet been patched in order to alert the community to take precautions to keep their sites protected.”
The Common Vulnerability Scoring System (CVSS) score for the file upload vulnerability is 9.8. Despite the fact that the Fancy Product Designer plugin has several checks in place to prevent malicious file uploads, attackers can easily circumvent them. Gall cautioned that an attacker could theoretically upload executable PHP files to any website with the plugin installed.
He added “This effectively makes it possible for any attacker to achieve Remote Code Execution on an impacted site, allowing full site takeover,”
To protect customers from the attacks, Wordfence added a new rule to its paid firewall product on Monday, followed by subsequent updates to its free version on June 30.
For the time being, users were advised to uninstall the plugin.
Gall concluded “As this is a critical zero-day under active attack and is exploitable in some configurations even if the plugin has been deactivated, we urge anyone using this plugin to completely uninstall Fancy Product Designer, if possible, until a patched version is available,”