Critical 0day in the Fancy Product Designer WordPress plugin actively exploited

A critical zero-day vulnerability in the Fancy Product Designer WordPress plugin exposes more than 17,000 websites to attacks.

Researchers from the Wordfence team at WordPress security company Defiant warn that a critical zero-day vulnerability, tracked as CVE-2021-24370, in the Fancy Product Designer WordPress plugin is actively exploited in the wild.

Fancy Product Designer is a premium plugin that allows customers to design and customize any kind of product in their online stores, it is currently installed on more than 17,000 websites.

Experts pointed out that the vulnerability could be exploited only in certain configurations, but even if the plugin is not active.

Attackers are exploiting the flaw to extract order information from site databases, anyway, this vulnerability is likely not being attacked on a large scale.

Users could modify their products by uploading images and PDF files, but experts noticed that the checks in place to prevent malicious files from being uploaded are not sufficient and could be easily be bypassed

“Fancy Product Designer is a WordPress plugin that offers the ability for customers to upload images and PDF files to be added to products. Unfortunately, while the plugin had some checks in place to prevent malicious files from being uploaded, these checks were insufficient and could easily be bypassed, allowing attackers to upload executable PHP files to any site with the plugin installed.” reads the post published by the experts. “This effectively made it possible for any attacker to achieve Remote Code Execution on an impacted site, allowing full site takeover.”

The flaw has been rated with a CVSS score of 9.8 out of 10, an attacker could exploit the issue to upload executable PHP files to online stores that have the plugin installed.

Wordfence did not disclose technical details on the vulnerability to avoid it could be exploited in the wild, it only shared indicators of compromise (IOCs) for the attacks to allow administrators to prevent the attacks.

Below the vulnerability timeline:

May 31, 2021 15:05 UTC – Wordfence Security Analyst Charles Sweethill finds evidence of a previously unknown vulnerability during malware removal and forensic investigation as part of a site cleaning and begins investigating possible attack vectors.
May 31, 2021 15:45 UTC – Charles notifies the Wordfence Threat Intelligence team and a full investigation begins.
May 31, 2021 16:20 UTC – We develop an initial proof of concept and begin work on a firewall rule.
May 31, 2021 17:06 UTC – We initiate contact with the plugin developer.
May 31, 2021 18:59 UTC – We release the firewall rule protecting against this vulnerability to Wordfence Premium customers.
June 1, 2021 09:03 UTC – The plugin developer responds to our initial contact.
June 1, 2021 13:35 UTC – We send over full disclosure.
June 2, 2021 – The plugin developer releases a patched version, 4.6.9, of the plugin.
June 30, 2021 – Firewall rule becomes available to free Wordfence users.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, WordPresss)

[adrotate banner=”5″]

[adrotate banner=”13″]