Critical Zero-Day in WordPress Plugin Under Active Attack

Critical Zero-Day in WordPress Plugin Under Active Attack

Security researchers have warned of a critical new zero-day vulnerability in a WordPress plugin actively exploited in the wild.

The Fancy Product Designer plugin is installed on over 17,000 sites, allowing users to upload images and PDF files to products, according to experts at security vendor Wordfence.

“We initiated contact with the plugin’s developer the same day and received a response within 24 hours. We sent over the full disclosure the same day we received a response, on June 01 2021,” explained threat analyst Ram Gall.

“Due to this vulnerability being actively attacked, we are publicly disclosing with minimal details even though it has not yet been patched in order to alert the community to take precautions to keep their sites protected.”

The file upload vulnerability has a Common Vulnerability Scoring System (CVSS) score of 9.8. Although the Fancy Product Designer plugin has some checks to block malicious file uploads, attackers can easily bypass the checks. In theory, an attacker could upload executable PHP files to any site with the plugin installed, Gall warned.

“This effectively makes it possible for any attacker to achieve Remote Code Execution on an impacted site, allowing full site takeover,” he added.

Wordfence issued a new rule to its paid firewall product on Monday, with subsequent updates to its free version on June 30 to protect customers from the attacks.

However, users were urged to uninstall the plugin for the time being.

“As this is a critical zero-day under active attack and is exploitable in some configurations even if the plugin has been deactivated, we urge anyone using this plugin to completely uninstall Fancy Product Designer, if possible, until a patched version is available,” concluded Gall.