Security researchers have discovered a critical file upload vulnerability in the Fancy Product Designer WordPress plugin that is being actively exploited in the wild.
In their breakdown of the vulnerability, researchers from Wordfence, which develops security solutions to protect WordPress installations, note that the affected plugin is already installed on over 17,000 sites.
The Fancy Product Designer plugin offers users the ability to upload images and PDF files that can then be added to listed products on a website.
We’re looking at how our readers use VPN for a forthcoming in-depth report. We’d love to hear your thoughts in the survey below. It won’t take more than 60 seconds of your time.
>> Click here to start the survey in a new window<<
Wordfence discovered that although the plugin has some checks to prevent malicious files from being uploaded, these can be bypassed. As a result, threat actors could upload executable PHP code, for any sort of Remote Code Execution (RCE) attack including full site takeovers.
Not yet patched
Wordfence contacted the plugin’s developer the same day it discovered the vulnerability being exploited in the wild, and received a response within 24 hours.
“Due to this vulnerability being actively attacked, we are publicly disclosing with minimal details even though it has not yet been patched in order to alert the community to take precautions to keep their sites protected,” write the Wordfence researchers.
The critical zero-day vulnerability is exploitable in some configurations even if the plugin has been deactivated, warns Wordfence, urging all users to completely uninstall the plugin until a patched version is available.