Update: Wordfence has said that a patched version of the compromised plugin is now available as of June 2, 2021. Kathy Zant, Director of Marketing at Defiant, Inc who develop Wordfence added: "We've added some indicators of compromise to our story as well as some details on hacker motives, which appear to be e-commerce related."
Security researchers have discovered a critical file upload vulnerability in the Fancy Product Designer WordPress plugin that is being actively exploited in the wild.
In their breakdown of the vulnerability, researchers from Wordfence, which develops security solutions to protect WordPress installations, note that the affected plugin is already installed on over 17,000 sites.
The Fancy Product Designer plugin offers users the ability to upload images and PDF files that can then be added to listed products on a website.
We're looking at how our readers use VPN for a forthcoming in-depth report. We'd love to hear your thoughts in the survey below. It won't take more than 60 seconds of your time.
- We've built a list of the best managed WordPress hosting providers
- Here are the best ecommerce plugins for WordPress
- Also check our list of the best WordPress SEO plugins
Wordfence discovered that although the plugin has some checks to prevent malicious files from being uploaded, these can be bypassed. As a result, threat actors could upload executable PHP code, for any sort of Remote Code Execution (RCE) attack including full site takeovers.
Not yet patched
Wordfence contacted the plugin’s developer the same day it discovered the vulnerability being exploited in the wild, and received a response within 24 hours.
“Due to this vulnerability being actively attacked, we are publicly disclosing with minimal details even though it has not yet been patched in order to alert the community to take precautions to keep their sites protected,” write the Wordfence researchers.
The critical zero-day vulnerability is exploitable in some configurations even if the plugin has been deactivated, warns Wordfence, urging all users to completely uninstall the plugin until a patched version is available.
- These are the best web hosting services for your website