A major WordPress plugin flaw is being actively exploited in the wild

Unbreakable Lock
(Image credit: KAUST)

Update: Wordfence has said that a patched version of the compromised plugin is now available as of June 2, 2021. Kathy Zant, Director of Marketing at Defiant, Inc who develop Wordfence added: "We've added some indicators of compromise to our story as well as some details on hacker motives, which appear to be e-commerce related."

Security researchers have discovered a critical file upload vulnerability in the Fancy Product Designer WordPress plugin that is being actively exploited in the wild. 

In their breakdown of the vulnerability, researchers from Wordfence, which develops security solutions to protect WordPress installations, note that the affected plugin is already installed on over 17,000 sites.

The Fancy Product Designer plugin offers users the ability to upload images and PDF files that can then be added to listed products on a website. 

TechRadar needs yo...

We're looking at how our readers use VPN for a forthcoming in-depth report. We'd love to hear your thoughts in the survey below. It won't take more than 60 seconds of your time.

>> Click here to start the survey in a new window<<

Wordfence discovered that although the plugin has some checks to prevent malicious files from being uploaded, these can be bypassed. As a result, threat actors could upload executable PHP code, for any sort of Remote Code Execution (RCE) attack including full site takeovers.

Not yet patched

Wordfence contacted the plugin’s developer the same day it discovered the vulnerability being exploited in the wild, and received a response within 24 hours. 

“Due to this vulnerability being actively attacked, we are publicly disclosing with minimal details even though it has not yet been patched in order to alert the community to take precautions to keep their sites protected,” write the Wordfence researchers.

The critical zero-day vulnerability is exploitable in some configurations even if the plugin has been deactivated, warns Wordfence, urging all users to completely uninstall the plugin until a patched version is available.

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.