A major WordPress plugin flaw is being actively exploited in the wild Unbreakable Lock

• June 2, 2021

Security researchers have discovered a critical file upload vulnerability in the Fancy Product Designer WordPress plugin that is being actively exploited in the wild. 

In their breakdown of the vulnerability, researchers from Wordfence, which develops security solutions to protect WordPress installations, note that the affected plugin is already installed on over 17,000 sites.

The Fancy Product Designer plugin offers users the ability to upload images and PDF files that can then be added to listed products on a website. 

Wordfence discovered that although the plugin has some checks to prevent malicious files from being uploaded, these can be bypassed. As a result, threat actors could upload executable PHP code, for any sort of Remote Code Execution (RCE) attack including full site takeovers.

Not yet patched

Wordfence contacted the plugin’s developer the same day it discovered the vulnerability being exploited in the wild, and received a response within 24 hours. 

“Due to this vulnerability being actively attacked, we are publicly disclosing with minimal details even though it has not yet been patched in order to alert the community to take precautions to keep their sites protected,” write the Wordfence researchers.

The critical zero-day vulnerability is exploitable in some configurations even if the plugin has been deactivated, warns Wordfence, urging all users to completely uninstall the plugin until a patched version is available.

Source

Security researchers have discovered a critical file upload vulnerability in the Fancy Product Designer WordPress plugin that is being actively exploited in the wild.  In their breakdown of the vulnerability, researchers from Wordfence, which develops security solutions to protect WordPress installations, note that the affected plugin is already installed on…